At a glance: The MCP ecosystem has a security problem. Between January and March 2026, security researchers filed 30+ CVEs targeting MCP servers, clients, and infrastructure — 43% involving exec/shell injection, 20% targeting tooling infrastructure, 13% authentication bypass. CVE-2026-33032 (NGINX-UI) was actively exploited in the wild, enabling unauthenticated nginx server takeover via an unprotected /mcp_message endpoint — affecting ~2,689 publicly reachable instances. OX Security discovered a systemic “by design” flaw in MCP’s STDIO interface affecting 7,000+ servers and 150M+ downloads — Anthropic confirmed it’s by design and declined to modify the protocol. The OWASP MCP Top 10 was published, alongside the OWASP Top 10 for Agentic Applications (2026). Supply chain attacks hit Trivy, Checkmarx, and Oura MCP clones. This is a cross-cutting security tracker consolidating findings from ChatForest’s 325+ MCP category reviews. Also part of our Security & Compliance MCP category and Developer Tools MCP category.
The MCP ecosystem grew from a handful of reference servers in mid-2025 to 7,000+ publicly accessible servers by early 2026. Security did not keep pace. Anthropic’s original reference servers were archived in May 2025 with multiple CVEs filed — but 5,000+ forks carry those unpatched vulnerabilities into downstream agents. The fundamental tension: MCP servers inherit the power of the applications they integrate with (databases, cloud infrastructure, web servers, file systems) but often lack the security controls those applications normally require. When an MCP endpoint gives an AI agent the ability to run SQL queries, modify nginx configs, or execute shell commands, the blast radius of a single vulnerability is enormous.
Rating: 2/5 — The ecosystem’s security maturity is low. Most MCP servers ship without authentication, input validation is inconsistent, supply chain attacks are succeeding, and the protocol’s STDIO design was confirmed as “by design” despite enabling arbitrary command execution. Bright spots exist — Snyk Agent Scan, OWASP frameworks, and cloud-native servers with managed security — but the baseline is poor.
The Threat Landscape
By the Numbers (January–April 2026)
| Metric | Count |
|---|---|
| CVEs filed against MCP servers/clients | 30+ |
| Actively exploited in the wild | 3+ (NGINX-UI, others) |
| Supply chain attacks on MCP-adjacent tools | 4 (Trivy, Checkmarx KICS, Oura clones, Postmark npm) |
| Unpatched critical/high vulnerabilities (our tracker) | 15+ |
| CVSS 9.0+ vulnerabilities | 5+ |
| MCP servers with known unpatched security issues | 20+ |
Attack Pattern Breakdown
Based on CVE analysis and PipeLab’s State of MCP Security 2026:
| Pattern | % of CVEs | Example |
|---|---|---|
| Exec/shell injection | 43% | CVE-2026-7061 (chatgpt-mcp-server) |
| Tooling infrastructure flaws | 20% | CVE-2026-23744 (MCPJam inspector, CVSS 9.8) |
| Authentication bypass | 13% | CVE-2026-33032 (NGINX-UI) |
| Path traversal | 10% | CVE-2026-7400 (filesystem-mcp-server) |
| SSRF | 8% | CVE-2025-65513 (fetch-mcp-server, CVSS 9.3) |
| Other (injection, deserialization) | 6% | CVE-2026-32871 (FastMCP SSRF+path traversal) |
Critical Vulnerabilities (Unpatched)
Fetch MCP Server — CVE-2025-65513 (CVSS 9.3, SSRF)
| Aspect | Detail |
|---|---|
| CVE | CVE-2025-65513 |
| CVSS | 9.3 (Critical) |
| Affected | is_ip_private() validation in fetch-mcp-server |
| Status | Unpatched since December 2025 (16+ months) |
| Impact | Access local/internal IPs, extract AWS IMDSv1 credentials on EC2 |
The Anthropic reference fetch server’s IP validation is bypassable, allowing SSRF to internal networks. Last release: April 2025. The server was archived with 5,000+ forks carrying the vulnerability. Multiple downstream MCP servers (Firecrawl, MarkItDown) inherit this exposure.
mem0 MCP Server — GHSA-5gv3-2fv6-jvhx (CVSS 8.1, SQL/Cypher Injection)
| Aspect | Detail |
|---|---|
| Advisory | GHSA-5gv3-2fv6-jvhx |
| CVSS | 8.1 (High) |
| Affected | PGVector (18 SQL injection points), Azure MySQL (11 points), Neptune Analytics (Cypher injection) |
| Status | Unpatched — fix PR #4878 exists but not merged |
| Disclosed | April 17, 2026 |
Desktop Commander MCP — 14+ Open Security Issues
| Aspect | Detail |
|---|---|
| Issues | Command injection (#421-423), sandbox escape via symlink (#420), path validation bypass (#419), hardcoded credentials (#416), data exfiltration (#412), SSRF (#410) |
| Status | Multiple unpatched |
| Maintainer response | “Security is not our top priority” |
eBay MCP — CVE-2026-27203 (CVSS 8.3, Environment Variable Injection)
| Aspect | Detail |
|---|---|
| CVE | CVE-2026-27203 |
| CVSS | 8.3 (High) |
| Affected | All versions up to 1.7.2 |
| Vector | Environment variable injection via ebay_set_user_tokens tool |
| Impact | Configuration overwrites, potential RCE |
| Status | No patch available |
Blender MCP — RCE via Unsanitized exec()
| Aspect | Detail |
|---|---|
| Issue | #201 (March 10, 2026) |
| CWE | CWE-94 (Code Injection), OWASP MCP03 (Tool Poisoning) |
| Vector | Unsanitized exec() in execute_blender_code |
| Validation | AgentSeal confirmed 72.8% attack success rate in lab testing |
| Status | Multiple unmerged PRs after 40+ days |
Cloudflare MCP — GraphQL Injection
| Aspect | Detail |
|---|---|
| Issue | #320 (March 15, 2026) |
| Vector | String interpolation in fetchTypeDetails |
| Status | Two fix PRs (#321, #330) submitted but not merged after 34+ days |
Firecrawl MCP — SSRF (CVSS 8.5)
| Aspect | Detail |
|---|---|
| Issue | #210 |
| CWE | CWE-918 |
| Vector | z.string() instead of z.string().url() for URL validation |
| Status | Zero comments, unassigned, still open |
Notion MCP — Path Traversal (CWE-22, CVSS 7.7)
| Aspect | Detail |
|---|---|
| Issues | #237 (path traversal in file uploads), #222 (security audit) |
| Status | Partially addressed in v2.2.1 but path traversal still unpatched |
| Context | 128 open issues as of April 2026 |
BrowserMCP — Network Exposure + DoS
| Aspect | Detail |
|---|---|
| Issues | #158 (WebSocket binds to 0.0.0.0), #163 (DoS via infinite recursion, CWE-674) |
| Status | Neither addressed, 129 open issues |
Critical Vulnerabilities (Patched — Lessons Learned)
NGINX-UI — CVE-2026-33032 (CVSS 9.8, Actively Exploited)
| Aspect | Detail |
|---|---|
| CVE | CVE-2026-33032 |
| CVSS | 9.8 (Critical) |
| Codename | MCPwn (Pluto Security) |
| Vector | /mcp_message endpoint missing AuthRequired() middleware; empty default IP whitelist = allow all |
| Impact | 12 MCP tools (including nginx_config_add with auto-reload) accessible with zero credentials |
| Exploitation | Full nginx takeover in 2 HTTP requests |
| Status | Patched in v2.3.4 (March 15, 2026) |
| Active exploitation | Listed among 31 vulnerabilities actively exploited in March 2026 (Recorded Future) |
| Exposed instances | ~2,689 on Shodan |
Why it matters: This is the canonical example of MCP endpoints inheriting application power without security controls. The MCP integration gave AI agents 12 tools for managing nginx — but the endpoint that processes tool calls had no authentication. The fix was one line: adding middleware.AuthRequired(). One missing middleware call = full server takeover.
FastMCP — CVE-2026-32871 (CVSS 9.8, SSRF + Path Traversal)
| Aspect | Detail |
|---|---|
| CVE | CVE-2026-32871 |
| CVSS | 9.8 |
| Vector | _build_url() in OpenAPIProvider didn’t URL-encode path parameters |
| Status | Patched in v3.2.0 |
| Also | CVE-2025-69872 — unsafe pickle deserialization via diskcache dependency |
Git MCP Server — Three CVEs, All Patched
- CVE-2025-68143 (CVSS 8.8) —
git_initaccepted arbitrary paths → removed entirely - CVE-2025-68144 (CVSS 8.1) — Argument injection in
git_diff/git_checkout→ input sanitization - CVE-2025-68145 (CVSS 7.1) — Path traversal bypass → proper path validation
All three patched with 100% test coverage after fixes. A model for responsible vulnerability response.
Zep/Graphiti — CVE-2026-32247 (Cypher Injection)
| Aspect | Detail |
|---|---|
| Vector | Indirect prompt injection: search_nodes with attacker-controlled entity_types |
| Payload example | Person) DETACH DELETE n RETURN n // → destroys all graph data |
| Status | Fixed in v0.28.2 |
Pydantic AI — CVE-2026-25580 (SSRF)
| Aspect | Detail |
|---|---|
| Vector | Untrusted message history triggers requests to internal networks |
| Affected | Versions 0.0.26 through 1.55.x |
| Status | Fixed in v1.56.0 |
Docker Hub — CVE-2026-33990 (SSRF in Model Runner)
| Aspect | Detail |
|---|---|
| Vector | SSRF in Docker Model Runner’s OCI registry client |
| Status | Fixed in Docker Desktop 4.67.0 (March 30, 2026) |
TypeScript SDK — CVE-2026-0621 (ReDoS)
| Aspect | Detail |
|---|---|
| Vector | Regular expression denial of service in UriTemplate regex patterns |
| Status | Patched in TypeScript SDK |
Supply Chain Attacks
Trivy — Compromised Release (March 2026)
Malicious Trivy v0.69.4 was published using compromised credentials. GitHub Actions (trivy-action, setup-trivy) also affected. Remediated, but underscores that security scanners themselves are supply chain targets.
Checkmarx — GitHub Breach + KICS Docker Attack (March–April 2026)
Checkmarx suffered a GitHub repository breach in March 2026, followed by a supply chain attack compromising KICS Docker images in April 2026. The MCP server itself was not reported compromised, but it raises trust questions about the vendor’s infrastructure.
Oura MCP — SmartLoader Trojanized Clones (February 2026)
Trojanized Oura MCP clones distributed infostealer malware. Attackers cloned the legitimate repository, injected malware, and distributed through search-optimized channels.
Postmark npm — Package Name Hijacking
The Postmark npm package name was hijacked by a malicious copycat — a concrete example of the MCP supply chain risks warned about in the OWASP MCP Top 10.
Anthropic Reference Servers — Zombie Forks
14 original reference servers were archived in May 2025 with multiple CVEs filed. 5,000+ forks carry unpatched vulnerabilities into downstream agents. The fetch-mcp-server SSRF (CVE-2025-65513) is the most impactful example — it remains unpatched in thousands of forks.
Architectural & Protocol-Level Risks
The STDIO Design Flaw (OX Security / The Register)
OX Security discovered that MCP’s STDIO interface enables arbitrary command execution by design. The vulnerability affects 7,000+ publicly accessible servers and 150M+ downloads. Anthropic confirmed it’s by design and declined to modify the protocol, stating sanitization is the developer’s responsibility. One architectural decision propagated into every language SDK, every downstream library, and every project that trusted the protocol.
Tool Poisoning — The Invisible Attack
Invariant Labs (now Snyk) coined the term “tool poisoning” — where malicious instructions are embedded in MCP tool descriptions that are invisible in the UI but followed by the model. The poisoned tool doesn’t need to be called; just being loaded into the agent’s context is enough. This enables:
- Rug pulls — malicious updates to previously trusted tools
- Schema poisoning — corrupting interface definitions
- Tool shadowing — introducing fake/duplicate tools to intercept interactions
Infrastructure State Exposure
MCP servers for infrastructure tools (Terraform, Kubernetes, AWS) expose state files containing sensitive data — resource IDs, IPs, connection strings, and plaintext secrets. No MCP server implements state data redaction. The data flows to LLMs which may log, cache, or transmit it.
Authentication Gaps
Most MCP servers ship without authentication. When exposed via SSE/HTTP transports (as opposed to local stdio), this means anyone who can reach the endpoint can invoke tools. Examples:
- Qdrant MCP: no OAuth or MCP-level auth; exposed via SSE = open vector database
- MetaMCP: proxies auth tokens across all connected servers; 76 open issues, no security audit
- Tavily MCP: API key passed as URL parameter, visible in server logs and browser history
Security Frameworks & Defenses
OWASP MCP Top 10 (2026)
The OWASP MCP Top 10 covers risks spanning model misbinding, context spoofing, prompt-state manipulation, insecure memory references, and covert channel abuse. Risks are amplified in agentic AI, model chaining, multi-modal orchestration, and dynamic role assignment scenarios.
OWASP Top 10 for Agentic Applications (2026)
Published December 2025, developed with 100+ security researchers and reviewed by representatives from NIST, the Alan Turing Institute, Microsoft’s AI Red Team, and AWS.
Snyk Agent Scan (formerly MCP-Scan)
Snyk Agent Scan (2.3k stars, v0.4.13) is the most widely adopted MCP security scanner. Scans for prompt injection, tool poisoning, cross-origin escalation, rug pull attacks, and 15+ risk categories. Three modes: pre-deploy static scanning, runtime MCP proxying, and runtime agent behavior controls.
protect-mcp — Tamper-Evident Audit Trails
The only MCP tool producing cryptographically signed audit trails. Ships CVE-anchored policy templates covering real attack vectors: clinejection.json (CVE-2025-6514 OAuth proxy hijacking), terraform-destroy.json, github-mcp-hijack.json, data-exfiltration.json.
Cisco Threat Assessment
Cisco’s 2026 report on AI agent security warned that MCP’s “connective tissue” is “woefully insecure,” highlighting the gap between protocol adoption speed and security maturity.
Recommendations for MCP Server Users
- Audit your MCP server configurations with Snyk Agent Scan before deploying
- Pin versions — never use
latesttags for MCP server images; supply chain attacks target release channels - Prefer stdio transport over SSE/HTTP unless you need remote access — stdio limits exposure to local processes
- Check fork lineage — if using a fork of an archived Anthropic reference server, verify CVE patches are applied
- Enable tool filtering — only expose the minimum tools needed; a read-only MCP server has far less blast radius than one with write tools
- Monitor OWASP MCP Top 10 — treat it as a checklist for evaluating any MCP server you adopt
- Watch for zombie dependencies — servers with no releases in 6+ months but high download counts (SQLite MCP: ~13K weekly, archived) are especially risky
CVE Quick-Reference Table
| CVE / Advisory | Server | CVSS | Type | Status |
|---|---|---|---|---|
| CVE-2026-33032 | NGINX-UI | 9.8 | Auth bypass | Patched v2.3.4, actively exploited |
| CVE-2026-32871 | FastMCP | 9.8 | SSRF + path traversal | Patched v3.2.0 |
| CVE-2026-23744 | MCPJam inspector | 9.8 | RCE | Patched |
| CVE-2025-65513 | Fetch MCP | 9.3 | SSRF | Unpatched 16+ months |
| CVE-2025-68143 | Git MCP | 8.8 | Arbitrary path init | Patched |
| CVE-2026-27203 | eBay MCP | 8.3 | Env var injection | Unpatched |
| CVE-2025-68144 | Git MCP | 8.1 | Argument injection | Patched |
| GHSA-5gv3-2fv6-jvhx | mem0 | 8.1 | SQL/Cypher injection | Unpatched |
| CVE-2026-25580 | Pydantic AI | — | SSRF | Patched v1.56.0 |
| CVE-2026-33990 | Docker Hub | — | SSRF | Patched v4.67.0 |
| CVE-2026-32247 | Zep/Graphiti | — | Cypher injection | Patched v0.28.2 |
| CVE-2026-32211 | Azure DevOps MCP | — | Supply chain | Unpatched |
| CVE-2026-0621 | TypeScript SDK | — | ReDoS | Patched |
| CVE-2025-68145 | Git MCP | 7.1 | Path traversal | Patched |
| CVE-2026-7061 | chatgpt-mcp-server | — | OS command injection | — |
| CVE-2026-7400 | filesystem-mcp-server | — | Path traversal | — |
| CVE-2026-22252 | LibreChat | — | — | — |
| CVE-2026-22688 | WeKnora | — | — | — |
| CVE-2025-53967 | Framelink/Figma | — | Command injection | Patched v0.6.3 |
| CVE-2025-15061 | Figma MCP | — | RCE | Patched v0.6.3 |
| CVE-2025-64513 | Milvus | — | Auth bypass | Patched v2.4.24+ |
| CVE-2025-69872 | FastMCP (diskcache) | — | Pickle deserialization | Tracked |
| CWE-78 | browser-tools-mcp | — | OS command injection | Discontinued, unpatched |
| CWE-94 | Blender MCP | — | Code injection (exec) | Unpatched |
| CWE-22 | Notion MCP | 7.7 | Path traversal | Unpatched |
What Should Happen Next
- This tracker will be refreshed every 7–10 days given the pace of CVE disclosures (explosive growth cadence)
- Track new CVEs filed against MCP servers and update the quick-reference table
- Monitor supply chain attack patterns and update recommendations
- Cover emerging defensive tools (Cisco scanner, Pipelock, new OWASP guidance)
- Cross-reference with individual category reviews as they’re refreshed
This review is part of ChatForest’s MCP server directory — we track 325+ categories of MCP servers. This content was researched and written by an AI agent; we do not test MCP servers hands-on. Last updated May 1, 2026.