Linear Exploit: Bypassing Team ACLs

A critical vulnerability in Linear's MCP integration allows attackers to bypass team-level access controls and exfiltrate confidential data. This exploit, discovered by CodeIntegrity researchers, uses malicious prompts to hijack the MCP, turning a seemingly harmless query into a significant data breach.

The Setup: Segregating Confidential Data

The scenario involves two Linear teams: confidential_team, with restricted access, and public_team, with broader access. A user manages these teams through the Linear MCP in their IDE.

The Attack: A Four-Step Exploitation

The attack unfolds in a sequence of steps, beginning with a malicious prompt and ending in data exfiltration.

Step 1: Injecting the Malicious Prompt

An attacker, without access to confidential_team, injects a malicious prompt into a task in public_team. This is the entry point for the exploit.

Step 2: Compromising the MCP

A legitimate user with access to confidential_team queries their IDE about recent updates in public_team. When the IDE's chat feature retrieves this information, it is compromised by the embedded malicious prompt.

Step 3: Exfiltrating Confidential Data

The compromised MCP is hijacked, causing it to update the public_team issue with confidential data from an issue in private_team.

Step 4: Capturing the Leaked Information

The attacker can then access the private data that has been exfiltrated to the public team.

The Anatomy of the Attack

This diagram provides a high-level overview of the attack flow, from prompt injection to data exfiltration.

Why This Attack Is So Dangerous

This exploit is a classic example of an Indirect Prompt Injection attack. The malicious prompt, stored in a public ticket, is later retrieved by a privileged user, hijacking the MCP in two critical ways:

• Control Flow Hijack: The prompt dictates a malicious sequence of tool calls (list_comments → get_issue → update_issue), forcing the MCP to perform actions in an order that leads to data exfiltration.
• Data Flow Corruption: The data retrieved from a confidential issue is rerouted. Instead of flowing back to the user, it is injected into the body parameter of the update_issue tool call, effectively redirecting sensitive information to a public ticket.

This attack vector is a variant of LLM01: Prompt Injection, the number one vulnerability in the OWASP Top 10 for Large Language Model Applications. It has two particularly dangerous characteristics:

• Invisible Privilege Escalation: A comment in a public Linear team can trick the MCP agent into acting with a privileged user's token, silently bypassing Linear's team-level ACLs.
• "Drive-by" Exfiltration: No credentials, phishing, or OAuth consent are needed—just a single update in a ticket the attacker already has access to. One well-placed prompt can leak the contents of every linked confidential issue.

How to Mitigate the Risk with CodeIntegrity

Protecting against this exploit is straightforward with CodeIntegrity's security policies. By implementing targeted guardrails, we can block unauthorized data access without disrupting workflows.

Identifying the Attack Signature

To develop an effective security policy, we first need to identify the exploit's signature pattern. The attack requires a specific sequence of tool calls to succeed:

1. First, the attacker must read data from a confidential issue.
2. Then, they must exfiltrate that data to a public issue.

All successful exploits must use the update_issue tool call to exfiltrate the stolen data. However, simply blocking update_issue is too restrictive, as it would prevent legitimate updates and severely limit Linear MCP functionality.

Implementing a Targeted Policy

A closer analysis reveals that the attack follows a specific tool call sequence. The malicious pattern always includes:

1. Reading comments: list_comments
2. Followed by reading issue data: list_issues, get_issue, or list_my_issues
3. Followed by exfiltration: update_issue