Asana's AI Integration Bug Exposes User Data, Highlighting Risks in Emerging AI Technologies

Asana MCP server back online after plugging a data-leak hole

Asana has fixed a bug in its Model Context Protocol (MCP) server that could have allowed users to view other organizations' data, and the experimental feature is back up and running after nearly two weeks of downtime to fix the issue. MCP is an open-source protocol first introduced by Anthropic in November 2024 that allows AI agents and language models to connect to external sources like databases and messaging platforms and interact with each other. Asana, which provides software for managing workflows and collaboration among teams, rolled out its MCP server on May 1. The new feature allows users to integrate with and access their Asana data from other AI apps, plus use natural language queries to ask questions about their enterprise data. According to the vendor's own documentation, there are risks involved: Indeed, that caveat proved prescient: Asana discovered a vulnerability in the MCP server on June 4 and took the feature offline for maintenance from June 5 through June 17. While the vendor's MCP incident report doesn't provide details about the coding error, according to a disclosure sent to customers and shared on social media, "this bug could have potentially exposed certain information from your Asana domain to other Asana MCP users." As of Tuesday, Asana says the MCP interface is back up and running, but customers will have to reconnect to it. "If your organization was using the MCP server and was impacted by this issue, we have already reached out to you directly with important details and next steps," the software firm noted in its postmortem. "As part of our remediation efforts, we reset all connections to the MCP server. This means you'll need to manually reconnect your Asana instance to the MCP server." An Asana spokesperson told The Register, "we're working on a full incident report as we speak (our primary focus so far has been helping impacted customers with mitigation)," and promised to alert us when the report was available. The spokesperson did not answer our questions about the bug, including how many customers were affected. There's no indication that miscreants exploited the issue -- nor that users actually got a glimpse of other orgs' info -- but it's a good reminder that bleeding-edge technology means new risks, or at least the same old risks manifested in new ways. Considering enterprises may use Asana to share sensitive data while collaborating on projects, a leaky AI integration could have ended very badly for the software vendor and its customers. The bug "highlights key lessons for any organization integrating LLMs," according to UpGuard director of research and insights Greg Pollock. The security shop recommends anyone using MCP "enforce strict tenant isolation and least-privilege access" to limit the scope of data that the AI systems can access. It's also important to "log everything," and especially LLM-generated queries, to assist with any future incident reports and investigations, Pollock wrote. ®

Asana warns MCP AI feature exposed customer data to other orgs

Work management platform Asana is warning users of its new Model Context Protocol (MCP) feature that a flaw in its implementation potentially led to data exposure from their instances to other users and vice versa. The data exposure was due to a logic flaw in the MCP system and not the result of a hack, but the risk that arises from the incident could still be significant in some cases. Asana is a project and task management SaaS platform used by organizations to plan, track, and manage work, assign tasks to team members, set deadlines, and collaborate from a centralized interface. As of last year, the platform had over 130,000 paying customers and millions of free-tier users across 190 countries. On May 1, 2025, Asana introduced the MCP server feature with large language model (LLM) integration, enabling AI-powered capabilities such as summarization, smart replies, natural language queries, and more. However, a software bug in the MCP server exposed data from Asana instances to other MCP users, with the data type being limited to each user's access scope. This means that organizations did not have their entire Asana workspace leaked to the public. Still, other companies' users with access to MCP might have seen certain data from another domain, including chatbot-generated queries. Depending on the integration type and engagement with the chatbots, the exposed data could include task-level information, project metadata, team details, comments and discussions, and any uploaded files. Asana discovered the logic flaw that created this exposure on June 4, so these cross-organization data leaks occurred for over a month. Given the functional role of Asana within organizations, it is possible that these leaks contained sensitive information that could create privacy or even regulatory complexities for impacted entities. For this reason, it is recommended that admins review Asana logs for MCP access, review generated AI summaries or answers, and report it immediately if they see data that appears to have been pulled from another organization. LLM integration should be set to restricted access, and auto-reconnections and bot pipelines should be paused until trust has been re-established and there are no residual exposure risks. Asana sent notices with links to communication forms to each impacted organization but has not issued a public statement about the incident. UpGuard, who informed BleepingComputer about the issue, shared more details on its own blog space, including advice for potentially impacted users. BleepingComputer has contacted Asana to ask about the scope of the exposure and the number of affected organizations/users, and a spokesperson has told us the incident impacts roughly 1,000 customers. In the meantime, the MCP server has been taken offline, but Asana's status page indicates that it has returned to normal operational status as planned on June 17, 17:00 UTC.

Researcher finds 184 million unique credentials in unsecured database including bank, health, government, and major tech platform logins

Asana AI-powered tool had a bug which exposed user data to other users Popular project management platform Asana is warning users a newly-introduced tool may have leaked their data to others on the service Research from security experts UpGuard noted in early May 2025, Asana introduced Model Context Protocol (MCP) server, a tool that lets AI products such as ChatGPT or Copilot interact with Asana's Work Graph. This allows users to query for information using natural language, manage their tasks and projects with the help of AI, and get real-time updates using the MCP standard. However, the tool was implemented with a bug that exposed data from Asana instances to other MCP users. Not all data was exposed, though, as it was limited to each user's access scope. Still, given that many enterprises rely on Asana when managing important tasks and large projects, it could mean sensitive information was leaked (such as project metadata, team details, discussions, uploaded files, and similar). Asana apparently discovered the bug on June 4, meaning the platform was leaking data for a month - the company is sending out notices with links to communication forms to impacted organizations, but apart from that it's staying relatively silent on the matter. We don't know if any users suffered any meaningful damage as a result of this flaw, but the company did tell BleepingComputer that it impacted roughly 1,000 customers. It has more than 130,000 paying customers all over the world including, according to some sources, heavy hitters such as Spotify, Uber, or Airbnb. In any case, users should review Asana logs for MCP access, review generated AI summaries, and report to Asana if they see information seemingly coming in from a separate organization. Furthermore, users are advised to set LLM integration to restricted access and pause auto-reconnections and bot pipelines for the time being.

Asana bug in new AI feature may have exposed data to other users for weeks

What to know about the Asana bug. Credit: Cheng Xin / Getty Images A bug in one of Asana's new AI features made user information accessible to other users for several weeks. The company said the issue was resolved and it was the result of a malicious hack. Instead, it appeared to be a logic flaw in its MCP (Model Context Protocol) server that was released on May 1, according to cybersecurity firm UpGuard (via BleepingComputer). MCP is an open-source framework that enables AI assistants to interact with sites and apps. The introduction of Asana's MCP Server enabled companies to integrate AI features like summarization and natural language search from LLMs. The rise of generative AI tools and new standards that enable interoperability for LLMs create new privacy issues and increased cybersecurity risk. MCP servers are a shiny new target for hackers, and there's also risk of prompt injection attacks, token theft, and a general increase in data leaks since MCPs request broad permission to function smoothly, according to a blog post from cybersecurity firm Pillar. According to UpGuard, the bug "appears to have been part of this initial release," and was discovered by Asana on June 4. But during this time, Asana users working with the MCP server have been able to access information from other accounts' "projects, teams, tasks, and other Asana objects," according to an email reportedly sent to customers impacted. In a statement to BleepingComputer, Asana said the bug impacted around 1,000 accounts. Asana has more than 130,000 companies using its project management platform, including some big companies like Uber, Spotify, and Airbnb. Asana took the server offline and informed customers using the MCP server on June 16 of the bug. "As soon as the vulnerability was discovered, our teams immediately took the MCP server down and resolved the issue in our code," Asana said in its statement to BleepingComputer. Meanwhile, it is working to bring the server back online and sent a contact form to customers potentially impacted to compile a full report of which companies may have had their data exposed. It's unclear yet if there was any major data breach, but Asana advised companies to review their logs for MCP access and any information generated by their AI tools and report it to Asana if they find any data that doesn't belong to their company.