Overview
- A logic flaw in Asana’s Model Context Protocol server exposed data scoped to each user’s permissions between May 1 and June 4.
- Impacted information may include task details, project metadata, comments, discussions and uploaded files from other organizations.
- Asana took the MCP server offline on June 5, implemented a code fix and resumed operations on June 17.
- The company has sent tailored notices with communication forms to affected clients and is compiling a full report on the breach.
- Administrators are urged to review MCP access logs and report any suspicious data to Asana immediately.