Asana reports logic flaw in AI Integration feature exposing customer data across organizations

Project management software provider Asana is reporting a critical logic flaw in its experimental Model Context Protocol (MCP) server feature that potentially exposed customer data from one organization to users at different organizations for over a month. 

The vulnerability was discovered on June 4, 2025 and affected the AI-powered integration capabilities that the company launched on May 1, 2025, as part of its efforts to enhance large language model connectivity with enterprise workflow data.

Asana introduced the MCP server feature to enable AI-powered capabilities including summarization, smart replies, and natural language queries integrated with external large language models. The Model Context Protocol represents an open standard developed by Anthropic to standardize how AI systems connect with external data sources and applications, allowing for seamless integration between AI assistants and enterprise tools.

The bug in Asana's MCP implementation created a cross-tenant data exposure scenario where users accessing the MCP interface could potentially view data belonging to other organizations. This occurred due to insufficient tenant isolation within the MCP server architecture, causing data that should have been strictly separated between different customer domains to become accessible across organizational boundaries during AI-powered interactions and queries.

Exposed data includes:

• Task-level information and project metadata
• Team details and organizational structure data
• Comments and internal discussions between team members
• Uploaded files and attachments within projects
• AI-generated queries and chatbot responses
• Project timelines, deadlines, and workflow information

The scope of data exposure was limited to information accessible within each affected user's existing permission levels, meaning that the vulnerability did not grant users broader access rights than they already possessed within their own organizations. The cross-organizational nature of the exposure meant that sensitive business information could potentially be viewed by competitors or unauthorized third parties who were also using Asana's MCP integration features.

Asana discovered the logic flaw on June 4, 2025, and took the MCP server offline to investigate and contain the issue. The vulnerability had been present since the feature's initial release on May 1, 2025, creating a window of over one month during which the data exposure could have occurred.

The incident affected approximately 1,000 customers who had implemented the experimental MCP server integration within their Asana environments. There is currently no evidence that malicious actors exploited the vulnerability or that unauthorized users actually accessed cross-organizational data.

Asana has informed all potentially affected organizations, providing them with detailed notifications about the incident and specific guidance for assessing potential data exposure within their environments. 

The company has advised affected organizations to immediately review any information accessed through the MCP server interface in recent weeks and delete any data that does not belong to their organization. Administrative users are recommended to audit AI-generated summaries and responses obtained through the MCP server, review Asana access logs for any unusual cross-organizational activity, and temporarily restrict access to LLM integrations until security confidence is restored.

Asana reset all connections to the MCP server, requiring manual reconnection for organizations that wish to continue using the AI integration capabilities.