Model Context Protocol has a security problem that won't go away.
When VentureBeat first reported on MCP's vulnerabilities last October, the data was already alarming. Pynt's research showed that deploying just 10 MCP plug-ins creates a 92% probability of exploitation — with meaningful risk even from a single plug-in.
The core flaw hasn't changed: MCP shipped without mandatory authentication. Authorization frameworks arrived six months after widespread deployment. As Merritt Baer, chief security officer at Enkrypt AI, warned at the time: "MCP is shipping with the same mistake we've seen in every major protocol rollout: insecure defaults. If we don't build authentication and least privilege in from day one, we'll be cleaning up breaches for the next decade."
Three months later, the cleanup has already begun — and it's worse than expected.
Clawdbot changed the threat model. The viral personal AI assistant that can clear inboxes and write code overnight runs entirely on MCP. Every developer who spun up a Clawdbot on a VPS without reading the security docs just exposed their company to the protocol's full attack surface.
Itamar Golan saw it coming. He sold Prompt Security to SentinelOne for an estimated $250 million last year. This week, he posted a warning on X: "Disaster is coming. Thousands of Clawdbots are live right now on VPSs … with open ports to the internet … and zero authentication. This is going to get ugly."
He's not exaggerating. When Knostic scanned the internet, they found 1,862 MCP servers exposed with no authentication. They tested 119. Every server responded without requiring credentials.
Anything Clawdbot can automate, attackers can weaponize.
Three CVEs are exposing the same architectural flaw
The vulnerabilities aren't edge cases. They're direct consequences of MCP's design decisions. Here’s a brief description of the workflows that expose each of the following CVEs:
-
CVE-2025-49596 (CVSS 9.4): Anthropic’s MCP Inspector exposed unauthenticated access between its web UI and proxy server, allowing full system compromise via a malicious webpage.
-
CVE-2025-6514 (CVSS 9.6): Command injection in mcp-remote, an OAuth proxy with 437,000 downloads, enabled attackers to take over systems by connecting to a malicious MCP server.
-
CVE-2025-52882 (CVSS 8.8): Popular Claude Code extensions exposed unauthenticated WebSocket servers, enabling arbitrary file access and code execution.
Three critical vulnerabilities in six months. Three different attack vectors. One root cause: MCP's authentication was always optional, and developers treated optional as unnecessary.
The attack surface keeps expanding
Equixly recently analyzed popular MCP implementations and also found several vulnerabilities: 43% contained command injection flaws, 30% permitted unrestricted URL fetching, and 22% leaked files outside intended directories.
Forrester analyst Jeff Pollard described the risk in a blog post: "From a security perspective, it looks like a very effective way to drop a new and very powerful actor into your environment with zero guardrails."
That's not an exaggeration. An MCP server with shell access can be weaponized for lateral movement, credential theft, and ransomware deployment, all triggered by a prompt injection hidden in a document the AI was asked to process.
Known vulnerabilities, deferred fixes
Security researcher Johann Rehberger disclosed a file exfiltration vulnerability last October. Prompt injection could trick AI agents into transmitting sensitive files to attacker accounts.
Anthropic launched Cowork this month; it expands MCP-based agents to a broader, less security-aware audience. Same vulnerability, and this time it's immediately exploitable. PromptArmor demonstrated a malicious document that manipulated the agent into uploading sensitive financial data.
Anthropic's mitigation guidance: Users should watch for "suspicious actions that may indicate prompt injection."
a16z partner Olivia Moore spent a weekend using Clawdbot and captured the disconnect: "You're giving an AI agent access to your accounts. It can read your messages, send texts on your behalf, access your files, and execute code on your machine. You need to actually understand what you're authorizing."
Most users don't. Most developers don't either. And MCP's design never required them to.
Five actions for security leaders
-
Inventory your MCP exposure now. Traditional endpoint detection sees node or Python processes started by legitimate applications. It doesn't flag them as threats. You need tooling that identifies MCP servers specifically.
-
Treat authentication as mandatory. The MCP specification recommends OAuth 2.1. The SDK includes no built-in authentication. Every MCP server touching production systems needs auth enforced at deployment, not after the incident.
-
Restrict network exposure. Bind MCP servers to localhost unless remote access is explicitly required and authenticated. The 1,862 exposed servers Knostic found suggest most exposures are accidental.
-
Assume prompt injection attacks are coming and will be successful. MCP servers inherit the blast radius of the tools they wrap. Server wraps cloud credentials, filesystems, or deployment pipelines? Design access controls assuming the agent will be compromised.
-
Force human approval for high-risk actions. Require explicit confirmation before agents send external email, delete data, or access sensitive information. Treat the agent like a fast but literal junior employee who will do exactly what you say, including things you didn't mean.
The governance gap is wide open
Security vendors moved early to monetize MCP risk, but most enterprises didn’t move nearly as fast.
Clawdbot adoption exploded in Q4 2025. Most 2026 security roadmaps have zero AI agent controls. The gap between developer enthusiasm and security governance is measured in months. The window for attackers is wide open.
Golan is right. This is going to get ugly. The question is whether organizations will secure their MCP exposure before someone else exploits it.
