Asana has fixed a bug in its Model Context Protocol (MCP) server that could have allowed users to view other organizations' data, and the experimental feature is back up and running after nearly two weeks of downtime to fix the issue.
MCP is an open-source protocol first introduced by Anthropic in November 2024 that allows AI agents and language models to connect to external sources like databases and messaging platforms and interact with each other.
Asana, which provides software for managing workflows and collaboration among teams, rolled out its MCP server on May 1. The new feature allows users to integrate with and access their Asana data from other AI apps, plus use natural language queries to ask questions about their enterprise data.
According to the vendor's own documentation, there are risks involved:
Indeed, that caveat proved prescient: Asana discovered a vulnerability in the MCP server on June 4 and took the feature offline for maintenance from June 5 through June 17.
While the vendor's MCP incident report doesn't provide details about the coding error, according to a disclosure sent to customers and shared on social media, "this bug could have potentially exposed certain information from your Asana domain to other Asana MCP users."
As of Tuesday, Asana says the MCP interface is back up and running, but customers will have to reconnect to it.
"If your organization was using the MCP server and was impacted by this issue, we have already reached out to you directly with important details and next steps," the software firm noted in its postmortem. "As part of our remediation efforts, we reset all connections to the MCP server. This means you'll need to manually reconnect your Asana instance to the MCP server."
An Asana spokesperson told The Register, "we're working on a full incident report as we speak (our primary focus so far has been helping impacted customers with mitigation)," and promised to alert us when the report was available. The spokesperson did not answer our questions about the bug, including how many customers were affected.
There's no indication that miscreants exploited the issue - nor that users actually got a glimpse of other orgs' info - but it's a good reminder that bleeding-edge technology means new risks, or at least the same old risks manifested in new ways.
Considering enterprises may use Asana to share sensitive data while collaborating on projects, a leaky AI integration could have ended very badly for the software vendor and its customers.
The bug "highlights key lessons for any organization integrating LLMs," according to UpGuard director of research and insights Greg Pollock. The security shop recommends anyone using MCP "enforce strict tenant isolation and least-privilege access" to limit the scope of data that the AI systems can access.
It's also important to "log everything," and especially LLM-generated queries, to assist with any future incident reports and investigations, Pollock wrote. ®
AI-assisted software development is transforming the industry, but you already knew that
FEATURE Most customers don't need the biggest baddest models, just ones that work, are cheap, and won't pirate their proprietary data
Hundreds of layoffs, but this smells of geopolitics, not downsizing
Firefox maker warns old web tactics are now shaping AI at the expense of user choice
Six-hour breach turned trusted links into a coin toss between legit tools and credential stealers
Forget about investment value! Call it a 'strategic enabler for enterprise‑wide transformation,' says KPMG
Opinion Just what FOSS developers need - a flood of AI-discovered vulnerabilities