Asana has fixed a bug in its Model Context Protocol (MCP) server that could have allowed users to view other organizations' data, and the experimental feature is back up and running after nearly two weeks of downtime to fix the issue.
MCP is an open-source protocol first introduced by Anthropic in November 2024 that allows AI agents and language models to connect to external sources like databases and messaging platforms and interact with each other.
Asana, which provides software for managing workflows and collaboration among teams, rolled out its MCP server on May 1. The new feature allows users to integrate with and access their Asana data from other AI apps, plus use natural language queries to ask questions about their enterprise data.
According to the vendor's own documentation, there are risks involved:
Indeed, that caveat proved prescient: Asana discovered a vulnerability in the MCP server on June 4 and took the feature offline for maintenance from June 5 through June 17.
While the vendor's MCP incident report doesn't provide details about the coding error, according to a disclosure sent to customers and shared on social media, "this bug could have potentially exposed certain information from your Asana domain to other Asana MCP users."
As of Tuesday, Asana says the MCP interface is back up and running, but customers will have to reconnect to it.
"If your organization was using the MCP server and was impacted by this issue, we have already reached out to you directly with important details and next steps," the software firm noted in its postmortem. "As part of our remediation efforts, we reset all connections to the MCP server. This means you'll need to manually reconnect your Asana instance to the MCP server."
An Asana spokesperson told The Register, "we're working on a full incident report as we speak (our primary focus so far has been helping impacted customers with mitigation)," and promised to alert us when the report was available. The spokesperson did not answer our questions about the bug, including how many customers were affected.
There's no indication that miscreants exploited the issue - nor that users actually got a glimpse of other orgs' info - but it's a good reminder that bleeding-edge technology means new risks, or at least the same old risks manifested in new ways.
Considering enterprises may use Asana to share sensitive data while collaborating on projects, a leaky AI integration could have ended very badly for the software vendor and its customers.
The bug "highlights key lessons for any organization integrating LLMs," according to UpGuard director of research and insights Greg Pollock. The security shop recommends anyone using MCP "enforce strict tenant isolation and least-privilege access" to limit the scope of data that the AI systems can access.
It's also important to "log everything," and especially LLM-generated queries, to assist with any future incident reports and investigations, Pollock wrote. ®
Opinion Mozilla's management is a bug, not a feature
The mighty Z80 processor ran the code at astounding speed, proving retro-tech got a lot of things right
Analysis Markets advised to brace for 45 percent fall from Q1 to Q2
Using prompt injections to play a Jedi mind trick on LLMs
As power concerns beset builds, this floating datacenter can plug into powership next door
Line-judging tech flubs crucial point, leaving players and fans seeing red
Opinion A virtual environment makes a great de-hype advisor