MCP Security Crisis — 30 CVEs in 60 Days

MCP: The Cost of Becoming AI’s USB Port

Model Context Protocol (MCP) has become the de facto standard for connecting LLMs to external tools and data. With its transition to open governance under the Linux Foundation and endorsement from major vendors like Anthropic, OpenAI, and Google, adoption has skyrocketed. But wherever convenience is established, attack surface inevitably follows.

Between January and February 2026, 30 CVEs were reported across the MCP ecosystem in just 60 days, with 42,665 MCP server instances found exposed to the internet. Of the 560 servers scanned, 36% had no authentication whatsoever. It is no exaggeration to say that MCP is becoming the fastest-growing attack surface of the AI era.

This article analyzes the current MCP security landscape from an EM/VPoE/CTO perspective and presents a hardening guide that teams and organizations can implement immediately.

The Three-Layer Attack Model Behind 30 CVEs

Classifying the 30 reported CVEs reveals that MCP’s attack surface has evolved into three distinct layers.

graph TD
    subgraph "Layer 1: Execution Layer (43%)"
        A1["Shell Injection"] --> A2["13 CVEs"]
        A3["Path Traversal / Argument Injection"] --> A4["3 CVEs"]
    end

    subgraph "Layer 2: Infrastructure Layer (20%)"
        B1["Inspector / Scanner Vulnerabilities"] --> B2["6 CVEs"]
    end

    subgraph "Layer 3: Authentication Layer (13%)"
        C1["Auth Bypass"] --> C2["4 CVEs"]
    end

    subgraph "Other (24%)"
        D1["SDK-Level Vulnerabilities"] --> D2["ReDoS, SSRF, etc."]
    end

Layer 1 — Execution Layer (43%, 13+3 CVEs)

The most classic category, and still the most prevalent. A recurring pattern was discovered where MCP servers pass user input directly to shell commands.

Key example: Three vulnerabilities found in Anthropic’s official Git MCP server (CVE-2025-68143 through 68145) allowed remote code execution (RCE) via prompt injection. Path validation bypass, unrestricted git_init, and argument injection worked in combination.

Layer 2 — Infrastructure Layer (20%, 6 CVEs)

This is a new pattern where the vulnerability lies not in the MCP server itself, but in the tools used to manage and monitor MCP. Inspectors, scanners, and host applications — “meta-tools” — have become attack targets.

Layer 3 — Authentication Layer (13%, 4 CVEs)

Authentication-related vulnerabilities were reported, including OAuth token refresh mechanism manipulation on macOS (CVE-2026-27487) and credentials stored in plaintext at ~/.openclaw/credentials/.

SDK-Level Threats — Supply Chain Contamination

Beyond individual servers, supply chain attacks threatening the entire MCP ecosystem have been detected.

Official TypeScript SDK Vulnerabilities

Two critical vulnerabilities were confirmed in @modelcontextprotocol/sdk (the official TypeScript SDK):

ReDoS: The regex used for resource URI matching in the UriTemplate class was susceptible to catastrophic backtracking. A specially crafted URI could hang the server process.
SSRF: An SSRF vulnerability found in Microsoft’s MarkItDown MCP server potentially exists in approximately 36.7% of all MCP servers.

Skill Registry Poisoning

Period	Scan Scope	Malicious Skills	Percentage
2026-01-29	2,857 packages	341	11.9%
2026-02-16	10,700+ packages	824+	7.7%

Bitdefender Labs confirmed malicious payloads in approximately 20% of deeply analyzed samples. In effect, supply chain attacks from npm and PyPI have expanded into the MCP skill registry.

Enterprise Hardening Checklist for EMs and CTOs

graph TD
    subgraph "1. Authentication & Access Control"
        AUTH1["OAuth 2.0 + SSO Integration"]
        AUTH2["Per-Tool RBAC"]
        AUTH3["Short-Lived Dynamic Credentials"]
    end

    subgraph "2. Runtime Isolation"
        RT1["Container Hardening"]
        RT2["Read-Only File System"]
        RT3["seccomp + AppArmor"]
    end

    subgraph "3. Input Validation"
        IV1["Prompt Sanitization"]
        IV2["Parameter Allowlisting"]
        IV3["Shell Command Blocking"]
    end

    subgraph "4. Governance"
        GOV1["Approved MCP Server Registry"]
        GOV2["Audit Logs & Monitoring"]
        GOV3["Security Team Review Process"]
    end

    AUTH1 --> RT1
    RT1 --> IV1
    IV1 --> GOV1

1. Authentication & Access Control

OAuth 2.0 + SSO integration is mandatory: Place MCP endpoints behind SSO. Given that 36% of servers were exposed without authentication, this is the top priority.
Per-tool RBAC: Apply role-based access control to every MCP tool. Ensure that a “file read” tool does not also carry “file delete” permissions.
Dynamic credentials: Use short-lived tokens instead of static API keys. Implement automatic rotation.

2. Runtime Isolation

Immutable infrastructure: Read-only container file systems with restricted Linux capabilities.
Resource limits: Set CPU/memory quotas to mitigate resource exhaustion attacks such as ReDoS.
Mandatory access control: Restrict at the system call level with seccomp profiles and AppArmor/SELinux.

3. Input Validation

Prompt sanitization: Defend against prompt injection. Validate all user inputs and tool parameters against an allowlist.
Block direct shell command execution: Transition to a structure that only permits predefined commands.

4. Governance

Maintain an approved server registry: Establish a security team approval process so developers cannot install MCP servers arbitrarily.
Audit logs: Maintain audit trails for all MCP tool invocations. Meet regulatory requirements (GDPR, HIPAA, SOC 2).
SAST + SCA: Apply static analysis tools and software composition analysis to MCP server code.

Practical Implementation — Three Stages of MCP Security Maturity

A phased approach to raising your security posture based on your organization’s current state is the most realistic path forward.

Stage 1: Immediate Actions (1–2 weeks)

Immediately disable or block access to unauthenticated MCP endpoints
Audit for plaintext credential storage (~/.openclaw/credentials/, .env)
Verify MCP SDK versions in use and apply patches

Stage 2: Foundation Building (1–2 months)

Complete OAuth 2.0 + SSO integration
Migrate to container-based MCP server deployments
Build an approved MCP server/skill registry
Include MCP server code in SAST/SCA pipelines

Stage 3: Mature Operations (3–6 months)

Real-time monitoring and anomaly detection
Establish periodic security audit processes
Internal training program on MCP security policies
Include MCP scenarios in red team exercises

OWASP’s MCP Security Guide

OWASP published a practical guide for secure MCP server development in early 2026. The key recommendations are:

Principle of least privilege: Grant each MCP tool only the minimum permissions it requires.
Secrets management: Use a dedicated secrets manager instead of environment variables. Inject secrets dynamically at runtime.
Component signing: Apply signatures to MCP server binaries and skill packages.
DevSecOps integration: Automate MCP security as part of the CI/CD pipeline.

Conclusion — Finding the Balance Between Convenience and Security

MCP is the protocol that has made it possible for AI agents to perform real work. However, the reality of 30 CVEs in 60 days is a stark reminder that “connectivity equals vulnerability” — a fundamental principle of security.

What matters for EMs and CTOs is not banning MCP, but building a framework for safe usage within a controlled environment. Removing unauthenticated servers, enforcing runtime isolation, and establishing an approval process — implementing just these three measures can mitigate over 76% of currently reported CVEs.

As AI agents embed themselves deeper into core business operations, MCP security is no longer optional — it is essential.