We Identified Security Flaws in the Model Context Protocol.

We Identified Security Flaws in the Model Context Protocol

The Model Context Protocol (MCP) faces serious security issues due to the absence of mandatory authentication. VentureBeat highlighted these risks in a report published last October, revealing that the implementation of just 10 MCP plug-ins offers a 92% likelihood of exploitation. Research from Pynt corroborates this finding, indicating significant risks even with a single plug-in.

The main flaw of the MCP was its launch without mandatory authentication. Authorization frameworks were introduced only six months after the widespread use of the protocol. Merritt Baer, security director at Enkrypt AI, warns: "The MCP is launching with the same mistake seen in all major protocol launches: insecure standards. If we do not implement authentication from the start, we will face breaches for a decade."

Three months later, the situation worsens. The Clawdbot, an AI personal assistant that automates tasks like email management, operates entirely based on MCP. Developers who implemented the Clawdbot on virtual private servers (VPS) without following security guidelines are now exposed to the full attack potential of the protocol.

Expert Itamar Golan had already predicted such a situation. Selling his company, Prompt Security, for an estimated $250 million, he recently warned: "A catastrophe is coming. Thousands of Clawdbots are active on VPS with open ports to the internet and no authentication. This is going to get ugly."

Unpatched Critical Vulnerabilities

The security flaws are direct consequences of the MCP's design choices. The CVE-2025-49596, for example, allows unauthenticated access between the web interface and the MCP proxy server, enabling full system compromises. Another serious case is CVE-2025-6514, where a command injection in an OAuth proxy allows control of systems. Meanwhile, CVE-2025-52882 enables access to arbitrary files due to unauthenticated WebSocket servers.

With three critical vulnerabilities in six months, the root cause is clear: authentication was made optional, leading developers to disregard it.

The Attack Surface Expands

Analysis from Equixly reveals that 43% of MCP implementations have command injection flaws, while 30% allow unrestricted access to URLs. According to Forrester analyst Jeff Pollard: "This will be an effective way to introduce a new powerful actor into your environment without protection." MCP servers, with shell access, can be used for lateral movement, credential theft, and ransomware deployment, all triggered by a prompt injection attack.

Recommended Actions for Security Leaders

• Inventory your exposure to the MCP now. Traditional endpoint detection tools do not identify MCP servers as threats.
• Treat authentication as mandatory. It is essential to implement authentication in deployment on production systems.
• Restrict network exposure. Connect MCP servers to localhost unless authenticated remote access is explicitly necessary.
• Assume that prompt injection attacks will happen. MCP servers inherit the blast radius of the tools they involve.
• Require human approval for high-risk actions. Explicit confirmation should be necessary before agents send emails or access sensitive information.

Open Governance Challenges

Although security vendors have rushed to monetize the risks of the MCP, many companies have still not adopted adequate measures. The adoption of Clawdbot increased exponentially in Q4 2025, but many 2026 security routes do not include controls for AI agents. The space for attackers remains open.

The question is whether organizations will manage to secure their exposure to the MCP before someone exploits it.