Fix unintended credential exposure to MCP Servers (#17311)

Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
2026-03-10 14:10:37 -07:00 · 2026-01-28 13:56:15 -05:00
parent 3787c71d15
commit 47f4a3e50e
6 changed files with 131 additions and 9 deletions
--- a/docs/tools/mcp-server.md
+++ b/docs/tools/mcp-server.md
@@ -739,10 +739,21 @@ The MCP integration tracks several states:
  cautiously and only for servers you completely control
 - **Access tokens:** Be security-aware when configuring environment variables
  containing API keys or tokens
+- **Environment variable redaction:** By default, the Gemini CLI redacts
+  sensitive environment variables (such as `GEMINI_API_KEY`, `GOOGLE_API_KEY`,
+  and variables matching patterns like `*TOKEN*`, `*SECRET*`, `*PASSWORD*`) when
+  spawning MCP servers using the `stdio` transport. This prevents unintended
+  exposure of your credentials to third-party servers.
+- **Explicit environment variables:** If you need to pass a specific environment
+  variable to an MCP server, you should define it explicitly in the `env`
+  property of the server configuration in `settings.json`.
 - **Sandbox compatibility:** When using sandboxing, ensure MCP servers are
-  available within the sandbox environment
+  available within the sandbox environment.
 - **Private data:** Using broadly scoped personal access tokens can lead to
-  information leakage between repositories
+  information leakage between repositories.
+- **Untrusted servers:** Be extremely cautious when adding MCP servers from
+  untrusted or third-party sources. Malicious servers could attempt to
+  exfiltrate data or perform unauthorized actions through the tools they expose.

 ### Performance and resource management