Agents
Measurement study: ~40% of remote MCP servers expose tools with no authentication
A first large-scale measurement of authentication on remote Model Context Protocol servers found roughly 40% expose their tools with no authentication at all, and the work surfaced nine CVEs traced to broken OAuth flows in MCP implementations. This quantifies the long-suspected MCP auth crisis and gives security teams a concrete baseline as the ecosystem migrates toward OAuth 2.1. For builders deploying MCP servers, the takeaway is blunt: unauthenticated tool exposure is the norm, not the exception, and remote servers should be treated as an open attack surface until proven otherwise.
Source
↳ Follow the thread