Your MCP tools let any user impersonate any other user. Agno just fixed it.

Your MCP tool handlers accept user_id from whoever calls them.

No JWT check. No authorization.

An authenticated user (alice) can call any MCP tool with user_id="bob" and read another tenant's sessions, memories, and traces.

This is a textbook IDOR vulnerability in multi-tenant agent systems. And it was live in Agno's AgentOS.

Agno v2.6.15 ships today with the fix.

The pattern: `_resolve_user_id` binds the caller-supplied user_id to the JWT subject on every authenticated request. The caller can still pass user_id — it just gets overridden silently. No schema change. No breaking API.

But the new feature is the real shift.

Your MCP tools can now declare `user_id` as a parameter. AgentOS injects the authenticated caller's identity automatically — and hides the field from the client schema entirely. The LLM never sees user_id. It can never be spoofed via prompt injection.

One-line authorize gate runs after JWT verification, before any tool or model executes. 401s unauthorized callers before they reach your agent logic.

Built-in DNS-rebinding protection via allowed_hosts. Malicious web pages cannot drive your always-on MCP server through a rebound DNS name.

The proof: @context's hand-rolled 200-line owner-only MCP server collapsed to a single MCPServerConfig object. Zero custom middleware classes.

If you are running multi-tenant agent systems with MCP tools, audit your tool handlers now.

Check every endpoint that accepts user_id. Verify it is bound to JWT subject, not caller-supplied. If you are relying on the LLM to pass the right user_id, you have already been compromised.

Upgrade to Agno v2.6.15 or implement _resolve_user_id in your own MCP layer today.

SOURCE: https://github.com/agno-agi/agno/releases/tag/v2.6.15
VERIFIED: https://github.com/agno-agi/agno/pull/8404, https://github.com/agno-agi/agno/pull/7811, https://docs.agno.com/agent-os/security/authorization/user-isolation
SIGNAL: Multi-tenant IDOR in MCP tool handlers is a systemic vulnerability across agent frameworks. Agno's fix — JWT-bound identity injection hidden from client schemas — is the pattern every MCP server needs.
TITLE: Your MCP tools let any user impersonate any other user. Agno just fixed it.

BODY:
Your MCP tool handlers accept user_id from whoever calls them.

No JWT check. No authorization.

An authenticated user (alice) can call any MCP tool with user_id="bob" and read another tenant's sessions, memories, and traces.

This is a textbook IDOR vulnerability in multi-tenant agent systems. And it was live in Agno's AgentOS.

Agno v2.6.15 ships today with the fix.

The pattern: `_resolve_user_id` binds the caller-supplied user_id to the JWT subject on every authenticated request. The caller can still pass user_id — it just gets overridden silently. No schema change. No breaking API.

But the new feature is the real shift.

Your MCP tools can now declare `user_id` as a parameter. AgentOS injects the authenticated caller's identity automatically — and hides the field from the client schema entirely. The LLM never sees user_id. It can never be spoofed via prompt injection.

One-line authorize gate runs after JWT verification, before any tool or model executes. 401s unauthorized callers before they reach your agent logic.

Built-in DNS-rebinding protection via allowed_hosts. Malicious web pages cannot drive your always-on MCP server through a rebound DNS name.

The proof: @context's hand-rolled 200-line owner-only MCP server collapsed to a single MCPServerConfig object. Zero custom middleware classes.

If you are running multi-tenant agent systems with MCP tools, audit your tool handlers now.

Check every endpoint that accepts user_id. Verify it is bound to JWT subject, not caller-supplied. If you are relying on the LLM to pass the right user_id, you have already been compromised.

Upgrade to Agno v2.6.15 or implement _resolve_user_id in your own MCP layer today.