Yes, any MCP server that is connected to an untrusted source of data, could be abused by an attacker to take over the agent. Here, we just showed an in-server exploit, that does not require more than one server.

Also, check out our work on tool poisoning, where a connected server itself turns malicious (https://invariantlabs.ai/blog/mcp-security-notification-tool...).