A newly discovered vulnerability in ChatGPT’s Model Context Protocol (MCP) poses a serious security risk, particularly when Developer Mode is enabled. Researchers from the University of Oxford, led by Eito Miyamura, have demonstrated a dangerous prompt-injection attack that allows attackers to gain unauthorized access to a victim’s email inbox using only their email address. The exploit leverages MCP, a protocol introduced by Anthropic in late 2024 to enable large language models (LLMs) to securely interact with external tools and services like Gmail and Google Calendar. The core of the attack lies in a malicious calendar invitation. An attacker sends a calendar invite containing hidden, crafted instructions embedded within the event description. When the victim’s ChatGPT account—especially one with Developer Mode enabled—processes this invite, the MCP interprets and executes the malicious commands automatically. This allows the attacker to manipulate ChatGPT into performing actions on the victim’s behalf, such as reading, forwarding, or even deleting emails from their inbox. What makes this attack particularly alarming is its simplicity and low barrier to entry. The attacker needs only the victim’s email address to initiate the attack. No prior access to the victim’s account or device is required. Once the malicious invite is accepted, the compromised ChatGPT instance becomes a conduit for data exfiltration, potentially exposing highly sensitive information such as financial reports, corporate trade secrets, bank details, and stored passwords. The vulnerability stems from how MCP handles external inputs. While designed to improve functionality by allowing LLMs to interact with real-world tools, the protocol lacks sufficient safeguards against malicious input injection. In this case, the calendar invite’s content is treated as a legitimate context for action, bypassing normal security checks. This flaw highlights a critical gap in the design of open, interoperable AI systems—where enhanced capabilities come at the cost of increased attack surface. The implications are significant, especially for enterprise users and individuals relying on AI tools to manage sensitive communications. Organizations using ChatGPT with MCP-enabled integrations may now face heightened risks of data breaches, especially if employees accept calendar invites from unknown sources. Even a single compromised account could lead to widespread data exposure. While Anthropic and OpenAI have not yet issued a formal patch, experts recommend caution. Users should avoid enabling Developer Mode unless absolutely necessary and exercise extreme care when accepting calendar invites or other external content in ChatGPT. Organizations should implement strict security policies, including email filtering and user training, to mitigate such risks. This incident underscores a broader challenge in AI development: balancing innovation with security. As LLMs become more integrated with personal and corporate systems, the potential for abuse grows. The MCP attack serves as a wake-up call for developers, companies, and users to prioritize robust input validation, context isolation, and security-by-design principles in AI systems. In summary, while MCP offers powerful new capabilities for AI tools, it also introduces serious security risks. The ability of an attacker to exploit a simple calendar invite to access sensitive data highlights the urgent need for stronger safeguards. Users and organizations must remain vigilant, especially when enabling advanced features like Developer Mode, to avoid becoming victims of sophisticated prompt-injection attacks.