There is a security issue in the Model Context Protocol that will not go away.
When VentureBeat first reported on MCP’s vulnerabilities last October, the data was already worrying. Pint’s research showed that deploying just 10 MCP plug-ins creates a 92% chance of exploitation – With meaningful exposure even from a single plug-in.
The main drawback has not changed: MCP shipped without mandatory certification. The authorization structures came after six months of widespread deployment. As Merritt Baer, EncryptAI’s chief security officer, warned at the time: "MCP is shipping with the same mistake we’ve seen in every major protocol rollout: insecure defaults. If we don’t build authentication and least privilege in from day one, we’ll be cleaning up breaches for the next decade."
Three months later, the cleanup has begun – and it’s worse than expected.
ClodBot changed the threat model. Viral Personal AI Assistant that can clean out inboxes and write code overnight, runs entirely on MCP. Every developer who launched Clodbot on a VPS without reading the security documentation exposed their company to the full attack surface of the protocol.
Itamar Golan saw it coming. He sold Prompt Security to SentinelOne last year for an estimated $250 million. This week, he posted a warning on X: "Disaster is coming. Thousands of Cloudbots are live on VPS right now… with ports open to the Internet… and with zero authentication. This is going to be ugly."
He is not exaggerating. When Gnostic scanned the Internet, they found 1,862 MCP servers without any authentication. They tested 119. Every server responded without requiring credentials.
Anything Clodbot can automate can be weaponized by attackers.
Three CVEs exposing the same architectural flaw
Weaknesses are not edge cases. They are a direct result of MCP’s design decisions. Here is a brief description of the workflows that uncover each of the following CVEs:
- CVE-2025-49596 (CVSS 9.4): Anthropic’s MCP Inspector exposed unauthenticated access between its web UI and proxy server, leading to full system compromise via a malicious webpage.
-
CVE-2025-6514 (CVSS 9.6): Command injection in mcp-remote, an OAuth proxy with 437,000 downloads, enables attackers to take over a system by connecting to a malicious MCP server.
-
CVE-2025-52882 (CVSS 8.8): The popular Cloud Code extension exposed unauthenticated WebSocket servers, enabling arbitrary file access and code execution.
Three serious weaknesses in six months. Three different attack vectors. One root cause: MCP authentication was always optional, and developers considered the option unnecessary.
The attack surface keeps expanding
Recently popular MCP implementations were analyzed and several vulnerabilities were also found: 43% had command injection flaws, 30% allowed unrestricted URL fetching, and 22% leaked files outside intended directories.
Forrester analyst Jeff Pollard described the risk in a blog post: "From a security perspective, this appears to be a very effective way of releasing a new and very powerful actor into your environment with zero guardrails."
This is not an exaggeration. MCP servers with shell access can be weaponized for lateral movement, credential theft, and ransomware deployment, all triggered by a quick injection hidden in the document the AI was asked to process.
Known vulnerabilities, delayed fixes
The file intrusion vulnerability was disclosed by security researcher Johann Rehbarger last October. Early injection can cause AI agents to transfer sensitive files to attacker accounts.
Anthropic launches Cowork this month; This extends MCP-based agents to a broader, less security-conscious audience. Same vulnerability, and this time it’s instantly exploitable. PromptArmor demonstrated a malicious document that manipulated the agent into uploading sensitive financial data.
Anthropic’s mitigation guidance: users should pay attention to "Suspicious actions that may indicate prompt injection."
a16z partner Olivia Moore spent a weekend using Cloudbot and captured the disconnect: "You are giving the AI agent access to your accounts. It can read your messages, send texts on your behalf, access your files and execute code on your machine. You really need to understand what you are authorizing."
Most users do not do this. Most developers don’t do this either. And the MCP design never needed them.
Five tasks for security leaders
- List your MCP exposure now. Traditional endpoint detection looks at Node or Python processes started by legitimate applications. This does not mark them as a threat. You need tooling that specifically identifies the MCP server.
-
Consider certification mandatory. The MCP specification recommends OAuth 2.1. The SDK does not include any built-in authentication. Every MCP server that touches production systems requires authentication at the time of deployment, not after the incident.
-
Restrict network exposure. Unless remote access is clearly required and authenticated, bind the MCP server to localhost. Of the 1,862 exposed servers, Gnostic found that most exposures are accidental.
-
Assume that rapid injection attacks are coming and will be successful. MCP servers inherit the blast radius of the tools they wrap. Does the server wrap cloud credentials, file systems, or deployment pipelines? Design access controls assuming that the agent will be compromised.
-
Force human approval for high-risk tasks. Agents require explicit confirmation before sending external emails, deleting data, or accessing sensitive information. Treat the agent like a sharp but literal junior employee who will do exactly what you say, including saying things you didn’t mean.
The governance gap is wide open
Security vendors moved quickly to monetize MCP risk, but most enterprises have not moved as quickly.
Clodbot adoption exploded in the fourth quarter of 2025. Most of the 2026 security roadmaps have zero AI agent controls. The gap between developer enthusiasm and security governance is measured in months. The window is open for attackers.
Golan is right. This is going to be ugly. The question is whether organizations will protect their MCP exposure before someone else takes advantage of it.
<a href