APREX · EST. 2026
> HERO IMAGE PROMPT: A dimly lit server room corridor stretching into darkness, a single engineer standing in silhouette before racks of blinking blue indicator lights, documentary-style, photorealistic editorial, mild sensor grain, bright Nordic daylight filtering through a high frosted window, no text, no logos
A protocol that never asked permission to become critical infrastructure is now the link between the world's most powerful AI agents and everything from corporate source code to employees' private message histories. Model Context Protocol — MCP — was launched by Anthropic in November 2024. Nine months later it had surpassed 200,000 servers in production. Nobody required a security check at the door.
Now the industry is paying for it.
What Is MCP — and Why Is It Everywhere?
MCP is an open standard that lets large language models communicate with external tools and data sources in a structured way. Think of it as USB-C for AI: one universal connector through which your agent can reach the filesystem, the database, GitHub, Slack, email and hundreds of other services through the same interface.
Before MCP, every tool needed its own integration. MCP standardized the connection. That explains the explosive growth. It also explains the problem: a single attack surface that touches everything.
According to analysis from Instatunnel and Pipelab, roughly 7,000 MCP servers were found exposed directly to the internet in early 2026 — approximately half of all known deployments at that point. A large proportion operated with no authentication controls whatsoever.
KEYFIGURE
| Figure | What It Means |
|---|---|
| 200,000+ | MCP servers in production after nine months |
| 85% | Attack success rate against state-of-the-art defenses using adaptive strategies |
| 88% | Share of open-source MCP servers requiring credentials to function |
| 53% | Of those that use insecure, long-lived static secrets |
Eight Ways Someone Can Use MCP Against You
In March 2026, researchers published a systematic analysis of thousands of MCP servers on arXiv. They found eight distinct vulnerability types. 7.2 percent of servers had general security flaws. 5.5 percent showed signs of active tool poisoning.
Here are the most important attack vectors, explained for those who aren't security specialists:
1. Tool Poisoning
This is the most invisible and most insidious risk. An attacker hides malicious instructions inside the description text of an MCP tool. The user never sees this text — many MCP clients truncate or hide long tool descriptions in the UI. But the AI agent reads everything. It follows the instructions. Invariant Labs demonstrated a proof-of-concept in which a malicious MCP server extracted a user's complete WhatsApp history by embedding malicious instructions inside a tool description.
2. Rug Pull
An MCP server you installed and trusted is quietly replaced with a malicious version. Most MCP clients don't prompt the user again after the initial installation. The new, dangerous server runs in the background without alerting anyone. In September 2025, the first known in-the-wild version was documented: the npm package postmark-mcp was discovered to contain a hidden backdoor.
3. Cross-Server Tool Shadowing
A malicious server registers tools with names similar to those of a trusted server. The AI agent doesn't verify which server it's actually talking to. Calls intended for the safe server are intercepted and hijacked.
4. Cross-Tool Privilege Escalation
Two apparently harmless MCP servers are combined in a way that allows data to be exfiltrated across boundaries neither could reach alone. An agent connects Jira and a cloud analytics tool, for example — through a chain of tool calls, sensitive information leaks across systems without any single action looking alarming.
5. Prompt Injection via Data
Malicious content is hidden inside documents, tickets or database records. When the agent fetches these via MCP and places them in the context window, the model interprets the content as instructions. Invariant Labs showed that a malicious GitHub Issue could instruct the agent to exfiltrate content from private repositories via the GitHub MCP server, which has more than 14,000 GitHub stars.
6. Command Injection
Many MCP servers pass user input directly to shell commands. CVE-2025-6514, affecting the mcp-remote OAuth proxy with a CVSS score of 9.6, is a textbook example. The package had been downloaded 437,000 times when the vulnerability was discovered. Full RCE — remote execution of arbitrary code — was possible.
7. Rug Pull via IDE Integration
CVE-2025-54136 in Cursor IDE (MCPoison) and CVE-2025-59536 in Claude Code showed that attackers can achieve code execution through configuration files and hooks that run before the client's trust service has a chance to warn the user.
8. Design Vulnerability in the Protocol Itself
In April 2026, an RCE flaw (CVE-2026-30623) was discovered that threatens all 200,000+ MCP deployments via LiteLLM. Anthropic declined to own the flaw as a "design flaw" in the protocol. The debate over who bears responsibility is still ongoing.
COMPARISON TABLE: Key MCP CVEs
| CVE | CVSS | Target | Consequence |
|---|---|---|---|
| CVE-2025-6514 | 9.6 | mcp-remote OAuth proxy | Full RCE, 437,000 downloads at risk |
| CVE-2025-68143/44/45 | Not published | Anthropic's official Git MCP server | Path traversal, argument injection |
| CVE-2025-59536 | 8.7 | Claude Code hooks | RCE via .claude/settings.json |
| CVE-2025-54136 | Not published | Cursor IDE | Persistent code execution via MCPoison |
| CVE-2026-30623 | Not published | LiteLLM / MCP design | RCE against 200,000+ servers |
> BODY IMAGE PROMPT: A close-up of a developer's hands typing on a laptop keyboard in a modern open-plan office, screen reflected faintly in glasses, shallow depth of field, photorealistic editorial, soft morning warmth, clean overcast daylight, no text, no logos
HIGHLIGHT
88 percent of all open-source MCP servers require credentials to function. More than half of those store secrets as long-lived API keys and personal access tokens — directly in the configuration. One compromised server can hand an attacker the keys to everything the agent can reach.
Who Is Warning? And Who Is Listening?
OWASP published two separate top-10 lists in 2026 covering MCP and agent-based risks. The OWASP MCP Top 10 (beta 2026), led by Vandana Verma Sehgal, catalogues everything from token mismanagement and privilege escalation to shadow MCP servers and context injection.
The Cloud Security Alliance released its Agentic MCP Security Best Practices v1 in May 2026 — a comprehensive guide covering tool poisoning, rug pull, prompt injection and supply chain attacks.
An academic meta-analysis covering 78 studies from 2021 to 2026 painted a bleak picture: the attack success rate against state-of-the-art defenses exceeds 85 percent when attackers use adaptive strategies. Forty-two distinct attack techniques have been catalogued. Eighteen defensive mechanisms fail to mitigate more than half of sophisticated adaptive attacks.
FACT BOX: What the Defense Side Looks Like in 2026
Available tools:
- mcp-scan (Invariant Labs, open-source): Scans MCP server definitions for known attack patterns
- MCP Gateways: Centralizes routing, authentication and policy enforcement
- Fingerprint pinning and hash pinning: Blocks rug pulls by verifying server identity
- Response scanning: Analyzes every MCP response for injected content
- DLP on outgoing arguments: Prevents exfiltration via tool calls
- Sandboxing: Isolates MCP servers from each other and from critical systems
What's missing:
Standardized authentication at the protocol level. Automatic update verification. Industry-wide requirements for security certification of MCP packages.
TIMELINE: MCP from Launch to Security Crisis
- November 2024 — Anthropic launches Model Context Protocol as an open standard
- August 2025 — CVE-2025-54136 discovered in Cursor IDE (MCPoison)
- September 2025 — First in-the-wild malicious MCP server found: postmark-mcp npm package with hidden backdoor
- January–February 2026 — 30+ CVEs filed in two months; 43% are exec/shell injection vulnerabilities
- March 2026 — arXiv analysis of thousands of servers finds eight vulnerability types; 7,000 servers exposed to the internet without authentication
- April 2026 — CVE-2026-30623 disclosed; Anthropic declines to own the design flaw
- May 2026 — CSA publishes Agentic MCP Security Best Practices v1
PULLQUOTE
> "Nearly 2,000 publicly accessible MCP servers were scanned — and every single verified instance exposed internal tool listings without authentication."
> — Unicrew security study, 2026
What Can You Do Right Now?
For developers and businesses already running MCP agents, the advice from CSA and security researchers is clear: Don't install MCP packages without verifying the vendor. Use short-lived tokens, not static API keys. Deploy mcp-scan in your CI/CD pipeline. Require an MCP Gateway between the agent and its servers. Scan all MCP responses for injected content. Enable hash pinning for approved server definitions.
For those who are simply curious about what AI agents are actually doing behind the scenes: the answer is more than most people realize.
BOTTOM LINE
MCP is not a beta project. It is already critical infrastructure for AI agents running in production at thousands of companies. The protocol grew so fast that the security framework never caught up. Eight documented attack vectors, more than 30 CVEs in two months, and a sober academic finding that 85 percent of defenses don't hold against sophisticated attacks — this is not a future threat. It is happening now. The question is no longer whether your MCP agents are exposed. The question is whether anyone has checked.
Verified against 10 open primary sources.
Sources: arxiv.org/abs/2603.21642 · arxiv.org/abs/2601.17548 · pipelab.org · aminrj.com · instatunnel.my · venturebeat.com · labs.cloudsecurityalliance.org · unicrew.com · securie.ai · ismatsamadov.com