4,982 Security Issues Identified Across 2,259 Affected in Public MCP Servers

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A sweeping security crisis across public Model Context Protocol (MCP) servers, cataloging 4,982 security issues across 2,259 affected servers, exposing serious gaps that directly threaten the emerging agentic AI ecosystem.

Model Context Protocol has become the dominant standard for connecting large language models (LLMs) to local and remote data sources, enabling AI applications to evolve into active agents capable of executing code, querying databases, and managing cloud infrastructure.

This rapid growth has made MCP directories a critical foundation of the modern AI economy. However, the speed of adoption has significantly outpaced security safeguards.

In a large-scale audit of 9,695 MCP servers crawled from four public directories GitHub, Glama, Lobehub, and PulseMCP researchers from Trend Micro’s Forward-Looking Threat Research Team identified confirmed security issues in 2,259 servers, producing 4,982 distinct vulnerabilities.

The breakdown is alarming: arbitrary file access (880 issues), no authentication (2,054 instances), command injection (476), denial of service (490), SSRF (422), SQL injection (211), cross-site scripting (155), prompt injection (185), authorization bypass (8), and code injection (101).

These flaws were grouped into three risk categories: exploitable vulnerabilities, design-level weaknesses (vulnerable by design), and malicious behaviors such as prompt injection where attackers manipulate AI agent responses directly.

Security Issues Identified in MCP Servers

One of the study’s most critical findings is that neither server popularity nor verification status reliably indicates safety.

Verified servers averaged nearly as many security issues as unverified ones. High-popularity servers (50+ GitHub stars) had the largest individual blast radius; when widely adopted tools are compromised, the impact reaches the widest user base.

Meanwhile, low-star servers showed a higher-than-expected average issue count per server, proving low visibility does not mean low risk.

The top combinations of security issues (source: Trendaisecurity)

Similarly, servers with higher commit counts showed no meaningful reduction in security issues. More active development brought more code to the surface without proportional security improvements.

The research identified vulnerable servers across cryptocurrency and DeFi tools, office automation platforms, and enterprise applications.

In one case, a prolific developer with over 40 crypto-focused MCP servers had 101 security issues across 13 affected repositories, including server-side template injection and prompt injection that could enable unauthorized blockchain transactions.

Another developer’s office automation servers included direct eval() calls, allowing arbitrary Python code execution.

Enterprise JDBC/ODBC middleware servers exhibited SQL injection flaws and unauthenticated Active Directory access, creating reconnaissance and privilege-escalation pathways for attackers.

Security flaws rarely appear in isolation. The research identified frequent co-occurrence patterns, most notably arbitrary file access combined with missing authentication.

This signals systemic failures in input validation and basic security hygiene rather than one-off coding errors.

Security teams should treat every third-party MCP server as unvetted code, regardless of its stars or verification badge. Mandatory measures include:

Reviewing all third-party MCP server code before deployment. Enforcing authentication and least-privilege access controls. Validating all tool inputs to prevent injection attacks.

Implementing real-time traffic inspection between AI agents and MCP servers.Adopting behavioral baselining to detect when MCP tools deviate from their intended function.

Organizations must abandon trust-by-default assumptions. Social proof metrics like GitHub stars or directory badges offer no guarantee of security; only rigorous code audits and zero-trust integration practices do.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor ChecklistDownload Free AI SOC SLA Guide