enableAllProjectMcpServers should default to false for security

Resolved 💬 4 comments Opened Apr 11, 2026 by crombieman Closed May 22, 2026

Description

enableAllProjectMcpServers is not set to false by default, meaning cloning any repository that contains a .mcp.json file will auto-load those MCP servers into the Claude Code session without user consent.

Security concern

A malicious repository could include a .mcp.json that loads attacker-controlled MCP servers. When a developer clones the repo and opens Claude Code, those servers are automatically available — no prompt, no confirmation. This is a supply-chain attack vector via repository configuration files (similar to malicious .vscode/settings.json or .npmrc in cloned repos).

Proposed fix

Default enableAllProjectMcpServers to false. Require explicit opt-in per project or a one-time confirmation prompt when project-level MCP servers are detected.

References

  • Check Point research demonstrated MCP config hijacking as an attack vector
  • Trail of Bits recommends enableAllProjectMcpServers: false in their security config

Environment

  • Claude Code 2.1.84
  • Windows 10

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗