Agno just collapsed 200 lines of MCP middleware into 5 lines of config. Your multi-tenant IDOR is still exposed.

Agno v2.6.15 just shipped custom, scoped, identity-aware MCP tools.

The AgentOS MCP server is no longer a black box of 19 hard-coded tools.

You can now register plain callables or Agno @tool Functions on the same /mcp mount. Scope built-ins with include_tags/exclude_tags. Disable them entirely with enable_builtin_tools=False.

But the real story is the security fix.

The previous MCP run tools called arun(message) with no user_id or session_id.

An authenticated MCP caller lost their identity entirely.

Any agent whose behavior depends on user_id — owner gating, guest restrictions, per-user memory — ran as anonymous.

PR #8404 fixes this. _resolve_user_id now binds to the JWT subject on authenticated requests. Both user_id and session_id thread into arun.

This closes a multi-tenant IDOR. An authenticated user could call MCP tools with user_id="bob" and read or modify another tenant's sessions and memories.

The identity injection is elegant. Declare user_id in your custom tool signature. AgentOS fills it with the JWT subject and hides it from the client schema. No spoofing possible.

The authorize gate runs after JWT verification. Returns 401 before any tool or model executes. One line: authorize=is_owner.

DNS-rebinding protection is now built in. allowed_hosts validates the Host header against your deploy host plus localhost defaults. Malicious web pages can't drive your local MCP server via rebound DNS.

All configured with data, not middleware classes.

The @context project collapsed 200 lines of custom FastMCP, OwnerOnlyMiddleware, transport security helpers, and JWT re-attach glue into one MCPServerConfig object.

Audit your MCP tool handlers today. If you're passing user_id from client input without JWT binding, you have the same IDOR.

SOURCE: https://github.com/agno-agi/agno/pull/8404
VERIFIED: GitHub PR #8404 (merged June 15, 2026), Agno v2.6.15 release notes, PR #7811 (original IDOR fix)
SIGNAL: MCP tool governance is becoming a first-class concern. Frameworks that ship identity-aware tool registration will replace hand-rolled middleware stacks.