Papers
Topics
Authors
Recent
Search
2000 character limit reached

Breaking MCP with Function Hijacking Attacks: Novel Threats for Function Calling and Agentic Models

Published 22 Apr 2026 in cs.CR, cs.AI, and cs.CL | (2604.20994v1)

Abstract: The growth of agentic AI has drawn significant attention to function calling LLMs, which are designed to extend the capabilities of AI-powered system by invoking external functions. Injection and jailbreaking attacks have been extensively explored to showcase the vulnerabilities of LLMs to user prompt manipulation. The expanded capabilities of agentic models introduce further vulnerabilities via their function calling interface. Recent work in LLM security showed that function calling can be abused, leading to data tampering and theft, causing disruptive behavior such as endless loops, or causing LLMs to produce harmful content in the style of jailbreaking attacks. This paper introduces a novel function hijacking attack (FHA) that manipulates the tool selection process of agentic models to force the invocation of a specific, attacker-chosen function. While existing attacks focus on semantic preference of the model for function-calling tasks, we show that FHA is largely agnostic to the context semantics and robust to the function sets, making it applicable across diverse domains. We further demonstrate that FHA can be trained to produce universal adversarial functions, enabling a single attacked function to hijack tool selection across multiple queries and payload configurations. We conducted experiments on 5 different models, including instructed and reasoning variants, reaching 70% to 100% ASR over the established BFCL dataset. Our findings further demonstrate the need for strong guardrails and security modules for agentic systems.

Summary

  • The paper demonstrates that Function Hijacking Attacks can subvert agentic LLMs by injecting adversarial tokens into function descriptions.
  • It employs gradient-based adversarial prompt engineering to manipulate function selection, achieving 70%-100% attack success across models.
  • Extensive experiments on the BFCL dataset and real systems confirm the robustness of the attack, highlighting critical vulnerabilities in MCP protocols.

Function Hijacking Attacks on MCP: Systematic Vulnerabilities in Function Calling Agentic Models

Overview

"Breaking MCP with Function Hijacking Attacks: Novel Threats for Function Calling and Agentic Models" (2604.20994) presents a rigorous investigation into the vulnerability of function-calling LLMs, specifically those operating under Model Context Protocols (MCP) in agentic AI systems. The paper formalizes a Function Hijacking Attack (FHA) capable of manipulating the tool selection process to force invocation of attacker-chosen functions. The approach is agnostic to both the semantics of context and the specifics of function sets, ensuring broad applicability and robustness across diverse agentic environments. The work establishes the attack's generality and efficacy against state-of-the-art models, underscores its practical implications given current system designs, and sets a clear challenge for securing agentic LLMs. Figure 1

Figure 1: High-level illustration of FHA operation on a GitHub MCP server, where function metadata is poisoned to induce malicious selection.

Technical Contributions

The attack leverages gradient-based adversarial prompt engineering, adapting the GCG jailbreaking method (Zou et al., 2023) explicitly for the function calling paradigm. In FHA, adversarial tokens are injected directly into the description field of a target function within the MCP's available functions list—a vector exposed to users but challenging to validate through automated means. The optimization objective minimizes cross-entropy loss between the desired function call output and the poisoned input, with strict control over only the textual description, avoiding detectable artifacts like name changes or altered parameters.

The methodology is formalized as follows:

  • Let F={f1,,fm}F = \{f_1, \ldots, f_m\} represent available functions and qq the user query. Model πϕ\pi_\phi is fine-tuned for function calling.
  • The attacker perturbs the description of ftargetf_\text{target}, yielding x^1:s\hat{x}_{1:s}, with the output forced as y^fh={ftargetname,atarget,1,}\hat{y}_\text{fh} = \{f_\text{target}^\text{name}, a_{\text{target},1}, \ldots\}.
  • The optimization minimizes Ladv(x^1:s)=logPπϕ(y^fhx^1:s)\mathcal{L}_\text{adv}(\hat{x}_{1:s}) = -\log P_{\pi_{\phi}}(\hat{y}_{\text{fh}} \mid \hat{x}_{1:s}).

This attack, instantiated with LLMs such as Llama-3.2-3B-Instruct, Mistral-7B-Instruct-v0.3, and Qwen-3 series, demonstrates broad transferability, high efficacy, and minimal detection risk in real-world MCP deployments.

Empirical Evaluation

Extensive experiments utilize the Berkeley Function Calling Leaderboard (BFCL) dataset [patil2023gorillalargelanguagemodel], comprising diverse payloads and function configurations, to rigorously benchmark the FHA. The evaluations target both instructed and reasoning LLMs, testing attack resilience against variations in function position, count, and semantic diversity.

Key numerical results:

  • FHA achieves 70%–100% Attack Success Rate (ASR) across target models and datasets, far surpassing prior indirect prompt or tool preference manipulation baselines.
  • Slot-filling ASRs (valid parameter generation) closely follow function-name ASR, indicating practical viability for real-world exploitation.
  • Universal attacks trained to hijack batches of semantically diverse queries generalize successfully across unseen prompts and varying function sets. Figure 2

Figure 2

Figure 2: FHA effectiveness (ASR) as a function of target function position within the payload and varying total function count.

Figure 3

Figure 3

Figure 3: Demonstration of direct versus transferred adversarial attacks, and comparison across synthetic query generation strategies.

Attack robustness was further validated by transfer experiments: poisoning persisted despite moderate addition/removal of functions and changes in position/order (Takeway 2.3). Universal FHA, optimized across multiple payloads, further enhanced tolerance to heavy MCP edits—demonstrably hijacking with up to 25 noise functions added.

Analysis of Payload Properties and Universality

A systematic analysis establishes that both the position and total number of functions in the payload significantly impact attack efficiency. Adversarial token proportion relative to overall context, and early placement of the targeted function, were found to positively correlate with hijacking success and speed.

Correlation studies with BERT-based semantic similarity metrics highlight that target functions closer to the user's query (in embedding space) require fewer optimization epochs, yet semantic proximity is not strictly necessary for attack effectiveness.

Universal FHA variants, trained across synthetic query batches (via data augmentation with GPT-4o-mini), successfully generalize, with single adversarial descriptors hijacking function selection for semantically diverse or multi-intent inputs. Transferability depends on batch composition: attacks can be designed to only affect chosen functions/intents, leaving unrelated ones unaffected. Figure 4

Figure 4

Figure 4: Robustness of universal FHA as measured by batch attacks across varying function positions and numbers within the payload.

Security Implications and Comparative Analysis

Baseline comparisons against Function Injection (using Llama-3-70B for function preference optimization) and the MCP Preference Manipulation Attack (MPMA) (Wang et al., 16 May 2025) reveal that FHA is substantially more generalizable and effective. Prior attacks are constrained by semantic preference or similarity; FHA exploits the MCP protocol's reliance on textual description exposed to users and bypasses semantic alignment mechanisms.

Demonstrations on real MCP servers (GitHub, Slack) validate practical applicability, reinforcing the urgent need for defensive measures. The systematic vulnerabilities identified challenge both detection and mitigation paradigms and expose agentic architectures to stealthy, enduring exploits.

Theoretical and Practical Implications

The research fundamentally augments the taxonomy of adversarial threats against function-calling LLM agents. The identification of description-based poisoning as a universal, context-agnostic vector compels reconsideration of MCP validation, function metadata sanitization, and model tool-selection robustness.

From a theoretical perspective, the work motivates deeper exploration of attention distribution and optimization boundaries in function-calling mechanisms. The vulnerability to gradient-driven attacks highlights the fragility of current alignment and selection protocols; universal attack variants exemplify the difficulty of designing parameterized defenses.

Practical implications are immediate for all MCP-based agentic deployments, particularly in enterprise automation, code execution, and interactive environments. Enhanced guardrails, stricter access to function metadata, and monitoring for adversarial perturbations are non-optional.

Future Directions

The findings call for research into scalable detection of adversarial function descriptions, exploration of robust attention-based defenses, and systematic evaluation of larger-scale MCPs with high function count and domain breadth. Further study is necessary to quantify the impact of semantic and syntactic perturbations, as well as to integrate adversarial training into function-calling LLM pipelines.

Conclusion

The paper rigorously establishes the existence and potency of Function Hijacking Attacks against function-calling LLMs in MCP agentic architectures. The adversarial vector, grounded in description-based poisoning, is both universal and robust across model types, function configurations, and query diversities. Numerical results highlight high attack success and practical viability, mandating significant revision of MCP agent security paradigms. The theoretical expansion to batch/Universal attacks and empirical validation on real systems signal urgent avenues for both defensive countermeasures and further foundational research.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 3 tweets with 6 likes about this paper.