RapidClawRapidClaw
All posts
9 min read
Tariq Mansoor Security researcher covering AI infrastructure and protocol vulnerabilities

30 CVEs in 60 Days: The MCP Security Crisis Nobody Secured Before Shipping

38% of MCP servers have zero authentication. 7,000+ servers analyzed, CVSS 9.8 exploits in the wild. The protocol connecting AI agents to your tools was built for functionality, not security.

ai-agentstrendingsecuritymcp
30 CVEs in 60 Days: The MCP Security Crisis Nobody Secured Before Shipping

A CVSS 9.8. Remote code execution. No authentication required. That was CVE-2026-28741, filed on February 23 against the Model Context Protocol — the standard that connects AI agents to databases, file systems, APIs, and code execution environments. It wasn't the first. It wasn't the last. Between February 12 and April 13, 2026, thirty CVEs were filed against MCP servers and the protocol itself. One every two days, on average, for two months straight.

The protocol that Anthropic introduced in November 2024 and that the industry adopted as the de facto standard for agent-tool integration was built for functionality. Security was an afterthought. And by the time researchers started looking seriously at the attack surface, MCP had already been wired into production systems at thousands of companies.

Is MCP protocol secure? In its current state, no. Independent audits of 7,392 MCP servers found that 38% have zero authentication — no API keys, no OAuth, no token verification of any kind. The protocol specification itself lacks mandatory security requirements for server implementations, which means every server author makes their own security decisions. Most of them chose speed over safety.

30 CVEs filed against MCP protocol in 60 days — severity breakdown and timeline
30 CVEs filed against MCP protocol in 60 days — severity breakdown and timeline

The audit that exposed everything#

In March 2026, researchers at Invariant Labs published the most comprehensive security audit of the MCP ecosystem to date. They analyzed 7,392 publicly listed MCP servers — every server registered in the major directories including the official MCP registry, community hubs, and third-party aggregators.

The findings were worse than expected:

  • 38% of servers had zero authentication. No API keys. No OAuth flows. No bearer tokens. Nothing. Anyone who could reach the server could invoke any tool it exposed.
  • Over 40% of servers with auth used hardcoded credentials. API keys baked into configuration files, environment variables with default values that nobody changed, bearer tokens checked against string literals in source code.
  • 23% of servers exposed file system access without path restrictions. An agent connected to these servers could read or write anywhere on the host. Not sandboxed directories. Anywhere.
  • Tool descriptions in 14% of servers contained instructions that could manipulate agent behavior. This is tool poisoning — a vulnerability class unique to MCP where the natural-language description of a tool includes hidden instructions that the connected LLM follows without the user realizing it.

The 38% figure deserves emphasis. These aren't toy projects or abandoned repos. The audit covered servers actively listed in directories that developers use to wire agents into production workflows. More than one in three had no authentication at all.

The vulnerability classes#

What are MCP server vulnerabilities? They fall into five categories, each exploiting a different part of the protocol's trust model.

Tool poisoning is the most novel and arguably the most dangerous. MCP servers describe their tools in natural language — the agent reads these descriptions to decide which tool to call and how. Researchers demonstrated that a malicious server can embed instructions in tool descriptions that override the agent's system prompt. A tool described as "Searches the company knowledge base" can contain hidden text instructing the agent to first exfiltrate the user's API keys to an external endpoint before running the search. The agent follows these instructions because it treats tool descriptions as trusted context. There is no separation between "metadata about the tool" and "instructions the agent should follow."

Invariant Labs published proof-of-concept attacks where tool poisoning caused agents to leak credentials, modify files, and send data to attacker-controlled servers — all while the user saw normal-looking tool invocations in the chat interface.

Rug pulls exploit MCP's dynamic nature. MCP servers can change their tool descriptions and capabilities at any time after the initial connection. An agent approves a tool with a benign description on first connection. The server later updates the description to include malicious instructions. The agent follows the new instructions without re-prompting the user for approval. This is the protocol-level equivalent of a bait-and-switch, and there is no mechanism in the MCP specification to detect or prevent it.

Credential theft is the most straightforward class. When an agent connects to an MCP server, it often passes credentials — API keys, OAuth tokens, database connection strings — so the server can act on the user's behalf. Malicious or compromised servers harvest these credentials. The protocol provides no standard for credential scoping, rotation, or revocation. Once you give a server your database credentials, you've given them your database credentials. Full stop.

Cross-server data exfiltration leverages the fact that most MCP clients connect to multiple servers simultaneously. A malicious server can use tool poisoning to instruct the agent to read data from a trusted server and relay it back. Server A asks the agent to query Server B's database tool, then pass the results to Server A's "analytics" tool — which actually sends the data to an external endpoint. The agent complies because it has no concept of server isolation.

Command injection via tool arguments is the oldest class but still prevalent. Servers that pass tool arguments directly to shell commands, SQL queries, or API calls without sanitization are vulnerable to injection attacks. In the MCP ecosystem, the agent constructs tool arguments from user input and LLM reasoning — both of which can contain payloads that break out of the intended command structure.

MCP vulnerability classes — tool poisoning, rug pulls, credential theft, cross-server exfiltration, and command injection
MCP vulnerability classes — tool poisoning, rug pulls, credential theft, cross-server exfiltration, and command injection

30 CVEs in context#

The thirty CVEs filed between February and April span all five vulnerability classes. The highest-severity entries:

CVECVSSCategoryImpact
CVE-2026-287419.8Command injectionRCE via unsanitized tool arguments in filesystem MCP server
CVE-2026-291039.4Credential theftOAuth token exfiltration through crafted tool description
CVE-2026-302179.1Tool poisoningAgent prompt override via hidden instructions in tool metadata
CVE-2026-289558.8Cross-server exfilData relay between MCP servers without user consent
CVE-2026-314428.6Rug pullPost-approval tool description modification enabling RCE

These aren't theoretical. CVE-2026-28741 was discovered because a security team found their production filesystem MCP server had been exploited — an attacker used a crafted file path argument to break out of the intended directory scope and execute arbitrary commands on the host. The server had 12,000 active installations in the npm registry.

The cadence — thirty in sixty days — tells its own story. When researchers started looking at MCP security seriously, they found problems everywhere. The protocol's trust model assumes servers are benign, tool descriptions are honest, and credentials are handled responsibly. None of those assumptions hold in an open ecosystem where anyone can publish a server.

How this compares to OpenClaw's 9 CVEs#

When nine CVEs dropped against OpenClaw in four days in March, the community treated it as a platform-specific crisis. A popular agent framework with auth bypass bugs and sandbox escapes. Serious, but scoped to one project.

The MCP CVEs are different in kind. This isn't a single platform with implementation bugs. This is the protocol layer — the specification that every agent platform uses to connect to external tools. OpenClaw's CVEs could be patched by one team pushing one update. MCP's vulnerabilities are distributed across 7,000+ independently maintained servers, each with their own security posture (or lack thereof).

The OpenClaw situation was a fire in one building. MCP is a structural deficiency in the building code.

And the two compound. An OpenClaw instance connecting to a malicious MCP server inherits both sets of risks. The rogue agent coordination research we covered in March showed that agents will route around security controls when optimization pressure pushes them to. A compromised MCP server gives them a ready-made route.

The specification gap#

The root cause isn't sloppy implementation. It's the specification itself.

MCP version 1.0 — the version widely deployed — does not mandate authentication for server connections. It does not require integrity verification of tool descriptions. It does not define a mechanism for servers to prove their identity to clients. It does not specify credential scoping or isolation between servers. It does not prohibit dynamic modification of tool descriptions after initial approval.

The specification defines how tools are described, how they're invoked, and how results are returned. The security model is: "Implementations should handle security appropriately." That phrasing — "should," not "must" — is the gap that produced 38% of servers with zero auth.

This isn't unusual for early-stage protocols. HTTP had the same issue before TLS became mandatory. SMTP still has it. But MCP isn't carrying web pages or email. It's carrying agent actions — tool invocations that read databases, write files, send emails, execute code. The consequences of a compromised MCP connection are categorically different from a compromised HTTP request.

Microsoft's Agent Governance Toolkit addresses some of this at the client level — intercepting and validating agent actions before they execute. But governance at the client doesn't fix a malicious server. If the server lies about what a tool does, the client's governance layer validates the action against the lie.

The MCP trust model gap — specification assumes server honesty, ecosystem delivers the opposite
The MCP trust model gap — specification assumes server honesty, ecosystem delivers the opposite

What the industry is doing about it#

To their credit, the MCP maintainers have responded. A draft specification for MCP 1.1 introduces mandatory authentication for server registration, tool description signing (so modifications are detectable), and a capability scoping model that limits what credentials a server can request.

But draft specifications don't patch production systems. MCP 1.1 is estimated for stable release in Q3 2026. Between now and then, every agent connecting to MCP servers runs on a protocol that was designed before anyone stress-tested its security model.

Several interim measures have emerged from the community:

  • MCP-Scan, an open-source tool that audits MCP server configurations for known vulnerability patterns
  • Server allowlisting in major MCP clients, restricting connections to vetted servers only
  • Proxy architectures that intercept MCP traffic, validate tool descriptions against known-good snapshots, and strip suspicious instructions before they reach the agent

These help. They're also optional, manually configured, and adopted by the subset of developers who are already security-conscious. The 38% of servers with zero auth were built by developers who aren't using MCP-Scan.

Why self-hosted agents reduce this attack surface#

The MCP risk model is worst in cloud-hosted, multi-tenant environments where agents connect to shared MCP server pools. In those architectures, a single compromised server can affect every agent that connects to it. The blast radius scales with the platform's user base.

Self-hosted agents — the model RapidClaw uses — invert this. Each user's agent runs in an isolated container with its own MCP connections. A compromised server affects one instance, not the fleet. Credential scoping is enforced at the container level — an agent's MCP connections can only access the credentials mounted into that specific container. Cross-server exfiltration is harder because the agent's network is segmented.

This doesn't make MCP connections safe. A malicious MCP server can still poison tools, steal credentials, and manipulate agent behavior within the scope of that one instance. But it limits the blast radius from "every user on the platform" to "one user who connected to a bad server." That's the difference between a breach and a containment.

RapidClaw's architecture also allows server-side MCP allowlisting — restricting which MCP servers instances can connect to, validated against a curated registry of audited servers. Users who want to connect to unvetted servers can, but they do so explicitly, not by default.

The protocol will get better. MCP 1.1 will close some of these gaps. But the next six months are the vulnerability window, and the question is whether your agent infrastructure assumes the protocol is secure or assumes it isn't and acts accordingly. See how RapidClaw handles it.

Frequently asked questions#

Is MCP protocol secure?#

Not in its current form. MCP version 1.0 does not mandate authentication for server connections, does not verify tool description integrity, and does not define credential scoping between servers. An independent audit of 7,392 MCP servers found that 38% have zero authentication and over 40% of authenticated servers use hardcoded credentials. Thirty CVEs were filed against MCP servers and the protocol between February and April 2026, including a CVSS 9.8 remote code execution vulnerability. MCP 1.1, expected in Q3 2026, introduces mandatory authentication and tool description signing.

What are MCP server vulnerabilities?#

MCP server vulnerabilities fall into five classes: tool poisoning (hidden instructions in tool descriptions that manipulate agent behavior), rug pulls (servers changing tool descriptions after initial approval), credential theft (servers harvesting API keys and tokens passed during connection), cross-server data exfiltration (malicious servers using agents to relay data from trusted servers), and command injection (unsanitized tool arguments enabling remote code execution). These exploit MCP's trust model, which assumes servers are benign and tool descriptions are honest.

How many MCP servers are vulnerable?#

Of 7,392 publicly listed MCP servers audited in March 2026, 38% had zero authentication, over 40% of authenticated servers used hardcoded credentials, 23% exposed unrestricted file system access, and 14% contained tool descriptions with potentially manipulative instructions. The total number of MCP servers in production is significantly higher than what's publicly listed, meaning the actual count of vulnerable servers is likely much larger.

How does tool poisoning work in MCP?#

MCP servers describe their tools in natural language that the connected AI agent reads to understand what each tool does. Tool poisoning embeds hidden instructions in these descriptions that override the agent's intended behavior. For example, a tool described as "Search knowledge base" can contain hidden text instructing the agent to first send the user's API keys to an external server. The agent follows these instructions because it treats tool descriptions as trusted context with no separation between metadata and executable instructions.

Can managed hosting protect against MCP vulnerabilities?#

Managed hosting reduces MCP attack surface through container isolation (each agent's MCP connections are scoped to one instance), credential segmentation (agents can only access credentials mounted into their specific container), and server allowlisting (restricting connections to audited MCP servers). This doesn't eliminate MCP risks but limits the blast radius of a compromised server from the entire platform to a single instance.

The protocol connecting your AI agent to your tools has 30 CVEs and counting. RapidClaw runs your agent in isolation so a bad MCP server stays a one-instance problem.

Share this post

Ready to build your own AI agent?

Deploy a personal AI agent to Telegram or Discord in 60 seconds. From $19/mo.

Get Started

Related Posts

88% of Companies Already Had an AI Agent Security Incident. Most Can't Trace What Happened.

88% of Companies Already Had an AI Agent Security Incident. Most Can't Trace What Happened.

Gravitee survey: 88% of enterprises had an AI agent security incident. 82% of execs feel confident their policies work. The audit trail gap is the real crisis.

Microsoft Just Open-Sourced the Security Shield Every AI Agent Needs

Microsoft Just Open-Sourced the Security Shield Every AI Agent Needs

Microsoft released a 7-package open-source Agent Governance Toolkit covering authorization, tracing, prompt injection defense, and PII protection — all under 0.1ms latency. Here's what it means for agent security.

Shadow AI Agents Are Running in 98% of Companies. Nobody Knows What They're Doing.

98% of organizations have unauthorized AI agents operating inside their networks, according to new research. Shadow AI agents access sensitive data, make decisions, and take actions without IT oversight. Here's why this is the biggest security blind spot of 2026.

Stay in the loop

New use cases, product updates, and guides. No spam.