Model Context Protocol has a security issue that won’t go away.
When VentureBeat first reported MCP vulnerabilities last Octoberthe data was already alarming. Pynt’s research showed that deploying just 10 MCP plugins creates a 92% probability of exploitation – with significant risks, even with a single plugin.
The main flaw has not changed: MCP is delivered without mandatory authentication. The authorization frameworks arrived six months after widespread deployment. Like Merritt Baer, head of security at Encrypted AIwarned at the time: "MCP comes with the same mistake we’ve seen in every major protocol deployment: insecure defaults. If we don’t build in authentication and least privilege from day one, we’ll fix breaches over the next decade."
Three months later, the cleanup has already started – and it’s worse than expected.
Clutch changed the threat model. The viral AI personal assistant that can clear inboxes and write code overnight runs entirely on MCP. Every developer who launched a Clawdbot on a VPS without reading the security documents has simply exposed their company to the protocol’s entire attack surface.
Itamar Golan saw it coming. He sold Fast security has SentinelOne for one estimated at $250 million last year. This week he posted a warning about X: "Disaster is coming. Thousands of Clawdbots are currently online on VPS…with open ports to the Internet…and no authentication. This is going to get ugly."
He’s not exaggerating. When Knostic By scanning the Internet, they found 1,862 MCP servers exposed without authentication. They tested 119. Each server responded without requiring credentials.
Anything Clawdbot can automate, attackers can weaponize.
Three CVEs expose the same architectural flaw
Vulnerabilities are not edge cases. These are direct consequences of MCP design decisions. Here is a brief description of the workflows that expose each of the following CVEs:
-
CVE-2025-49596 (CVSS 9.4): Anthropic’s MCP Inspector exposed unauthenticated access between its web UI and proxy server, allowing full system compromise via a malicious web page.
-
CVE-2025-6514 (CVSS 9.6): Command injection into mcp-remote, an OAuth proxy with 437,000 downloads, allowed attackers to take control of systems by connecting to a malicious MCP server.
-
CVE-2025-52882 (CVSS 8.8): Popular Claude Code extensions exposed unauthenticated WebSocket servers, allowing arbitrary file access and code execution.
Three critical vulnerabilities in six months. Three different attack vectors. A root cause: MCP authentication has always been optional and developers considered it unnecessary.
The attack surface continues to expand
Fairly recently analyzed popular MCP implementations and also discovered several vulnerabilities: 43% contained command injection flaws, 30% allowed unrestricted URL fetching, and 22% leaked files outside of intended directories.
Jeff Pollard, analyst at Forrester described the risk in a blog post: "From a security perspective, this seems like a very effective way to introduce a new, very powerful actor into your environment without any guardrails."
This is not an exaggeration. An MCP server with shell access can be weaponized for lateral movement, credential theft, and ransomware deployment, all triggered by a quick injection hidden in a document that the AI has been asked to process.
Known vulnerabilities, deferred fixes
Security researcher Johann Rehberger disclosed a file exfiltration vulnerability last October. A rapid injection could trick AI agents into transmitting sensitive files to attackers’ accounts.
Anthropic launched Cowork this month; it extends MCP-based agents to a broader, less security-aware audience. Same vulnerability, and this time immediately exploitable. PromptArmor demonstrated a malicious document that manipulated the agent into downloading sensitive financial data.
Anthropic Mitigation Tips: Users should monitor "suspicious actions that may indicate rapid injection."
a16z partner Olivia Moore spent a weekend using Clawdbot and captured the disconnect: "You give an AI agent access to your accounts. It can read your messages, send SMS on your behalf, access your files and run code on your machine. You really need to understand what you’re allowing."
Most users don’t do this. Most developers don’t do this either. And MCP’s design never required it.
Five actions for security managers
-
Take inventory of your MCP exposure now. Traditional endpoint detection sees node or Python processes started by legitimate applications. This does not consider them threats. You need tools that specifically identify MCP servers.
-
Consider authentication mandatory. The MCP specification recommends OAuth 2.1. The SDK does not include any built-in authentication. Each MCP server touching production systems must be authenticated during deployment, not after the incident.
-
Limit network exposure. Bind MCP servers to localhost unless remote access is explicitly required and authenticated. The 1,862 exposed servers found by Knostic suggest that most exposures are accidental.
-
Suppose rapid injection attacks arrive and succeed. MCP servers inherit the range of the tools they wrap. Is the server encapsulating cloud credentials, file systems, or deployment pipelines? Design access controls assuming the agent will be compromised.
-
Force human approval for high-risk actions. Require explicit confirmation before agents send external emails, delete data, or access sensitive information. Treat the agent as a quick but literal junior employee who will do exactly what you say, including things you didn’t expect.
The governance gap is wide
Security vendors moved early to monetize MCP risk, but most companies did not act as quickly.
Clawdbot adoption exploded in Q4 2025. Most 2026 security roadmaps do not include any controls on AI agents. The gap between developer enthusiasm and security governance is measured in months. The window for attackers is wide open.
Golan is right. This is going to get ugly. The question is whether organizations will secure their exposure to MCP before someone else exploits it.
