Widespread Security Flaws Found in Public MCP Servers

Recent research has uncovered significant security vulnerabilities within public Model Context Protocol (MCP) servers, identifying 4,982 issues across 2,259 affected servers. This discovery highlights critical weaknesses that pose substantial risks to the rapidly expanding agentic AI ecosystem.

MCP has become the standard for connecting large language models (LLMs) to various data sources, enabling AI applications to perform tasks such as code execution, database queries, and cloud infrastructure management. However, the swift adoption of MCP has outpaced the implementation of adequate security measures.

In a comprehensive audit of 9,695 MCP servers sourced from public directories like GitHub, Glama, Lobehub, and PulseMCP, researchers from Trend Micro’s Forward-Looking Threat Research Team identified security issues in 2,259 servers, totaling 4,982 distinct vulnerabilities. These issues include arbitrary file access (880 instances), lack of authentication (2,054 instances), command injection (476 instances), denial of service (490 instances), server-side request forgery (422 instances), SQL injection (211 instances), cross-site scripting (155 instances), prompt injection (185 instances), authorization bypass (8 instances), and code injection (101 instances).

The vulnerabilities were categorized into three main risk groups: exploitable vulnerabilities, design-level weaknesses (vulnerable by design), and malicious behaviors such as prompt injection, where attackers can manipulate AI agent responses directly.

Key Findings

One of the study’s critical insights is that neither server popularity nor verification status reliably indicates security. Verified servers exhibited nearly as many security issues as unverified ones. High-popularity servers (those with over 50 GitHub stars) had the largest individual impact, as widely adopted tools, when compromised, affect a broader user base. Conversely, low-star servers showed a higher-than-expected average issue count per server, indicating that low visibility does not equate to low risk.

Additionally, servers with higher commit counts did not demonstrate a meaningful reduction in security issues. Increased development activity introduced more code without corresponding security improvements.

The research identified vulnerable servers across various sectors, including cryptocurrency and decentralized finance (DeFi) tools, office automation platforms, and enterprise applications. For instance, a developer with over 40 crypto-focused MCP servers had 101 security issues across 13 repositories, including server-side template injection and prompt injection vulnerabilities that could enable unauthorized blockchain transactions. Another developer’s office automation servers contained direct eval() calls, allowing arbitrary Python code execution. Enterprise JDBC/ODBC middleware servers exhibited SQL injection flaws and unauthenticated Active Directory access, creating potential pathways for reconnaissance and privilege escalation by attackers.

Security flaws often co-occur. The research identified frequent patterns, notably arbitrary file access combined with missing authentication, signaling systemic failures in input validation and basic security controls.

Implications and Recommendations

These findings underscore the urgent need for enhanced security practices within the MCP ecosystem. Developers and organizations must prioritize rigorous security assessments, implement robust authentication mechanisms, and adhere to secure coding practices to mitigate these vulnerabilities. As AI applications become increasingly integrated into critical systems, ensuring the security of MCP servers is paramount to prevent potential exploitation and safeguard sensitive data.

In conclusion, while MCP servers offer significant advancements in AI capabilities, their widespread adoption without adequate security measures presents substantial risks. Addressing these vulnerabilities is essential to maintain the integrity and trustworthiness of AI-driven applications.