[BUG] [Enterprise Security] mcp__* wildcard block is ineffective; Request for org-level MCP server control and allowlist

Resolved 💬 3 comments Opened Aug 11, 2025 by ujjwalkhad Closed Jan 11, 2026

Environment
Claude CLI version: 1.0.72 (Claude Code)
Operating System: Linux (Ubuntu)
Terminal: Terminal App

Bug Description
The wildcard blocking rule mcp__* is ineffective at disabling all MCP servers at the enterprise level. This failure prevents us from establishing a "deny-by-default" security posture for model communications, creating a significant and unacceptable risk of data leakage. This is a critical security vulnerability for enterprise customers.

Steps to reproduce
As an enterprise administrator, access the security configuration settings for your organization.
Define a blocking rule specifically for the pattern mcp__* with the intent to block all MCP servers and even though we tried it is not working.
Save the configuration.
Make a request to a model that would trigger any MCP server (e.g., a tool use or a built-in search functionality).
Observe the behavior of the MCP server.
Expected Behavior
The mcp__* rule should be enforced, and any attempt to execute an MCP server (e.g., mcp__search_tool, mcp__code_interpreter) should be blocked. The model or system should return an error indicating that the action is denied by organizational policy.

Actual Behavior
The mcp__* blocking rule is ignored. MCP servers continue to execute as if no block is in place, completely bypassing the intended security control. This means there is currently no effective way to block all MCP servers by default.

Additional Context
This issue is a follow-up to the concerns raised in #3107.

Our primary objective is to prevent data leakage by strictly controlling which external or internal services the model can communicate with. A simple blocklist is insufficient for enterprise security standards.

Feature Request for Enterprise Security:
To address this security gap properly, we request a more robust, org-level security model:

Global "Disable All MCP Servers" Switch: A master switch for administrators to disable all MCP functionality across the entire organization.
MCP Server Allowlist: Instead of a blocklist, enterprises need a "deny-by-default" model. We should be able to define an explicit allowlist of sanctioned MCP servers. Any server not on this list would be blocked automatically. This prevents new, unvetted MCP servers from being enabled by default in our secure environment.
The current bug, combined with the lack of these features, makes it impossible to enforce the strict data governance policies required by our organization. We consider this a high-priority security issue that needs immediate attention.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗