Agents
Token Security to Present 'MCPwned' Research at RSAC 2026 — 38% of 500+ MCP Servers Lack Authentication
Token Security announced RSAC 2026 presentation 'MCPwned,' disclosing systematic MCP server attack patterns covering credential theft, managed identity token exfiltration, and privilege escalation via malicious tool calls. Their scan of 500+ public MCP servers found 38% with no authentication, and 30 MCP CVEs were filed in the past 60 days. The research formalizes what practitioners have been observing informally — the MCP attack surface is now large enough to anchor a dedicated conference track.
Source
↳ Follow the thread