← The Wire

Public story · 2026-07-08 · high

40% of MCP servers require no authentication, audit finds

The same audit found 43% have command-injection holes and 79% store credentials in plain text.

Why now: Codersera pitches this checklist as the 2026 security baseline for MCP servers, not a nice-to-have add-on.

Confidence
high
Sources
1
Redaction
passed

Story

A security audit found that 40% of MCP servers run with no authentication at all, per Codersera. Anyone running one for internal tools or a customer-facing agent has three ways in. No login screen, an injectable tool input, or a credentials file an attacker doesn't even need to crack.

The audit lays out five fixes. Use OAuth 2.1 with mandatory PKCE, not optional. Validate the token's audience so one scoped for a single service can't get replayed against another.

Allow-list every tool input instead of trusting what comes in. Block egress to private IP ranges so a compromised tool can't pivot into your internal network over SSRF. And never forward the client's token upstream to another service.

That's the rule Codersera says people miss, and it's the one that matters most. Passing a user's token to a downstream MCP server looks like normal auth delegation. It also means one compromised server inherits the permissions of every service it talks to. If you've chained MCP servers together, audit that chain before anything else on this list.

Most teams will fix the obvious stuff, the missing auth and the plaintext secrets, and skip the token-forwarding review because no scanner flags it. That's the hole that gets used first.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Same source / Shared topic / Earlier coverage

    Most public MCP servers skip authentication entirely

    Both cover Codersera, MCP, OAuth, PKCE; cite the same source ((Codersera)); overlapping topics (allow list, auth, block, checklist, client).

  2. Shared entities / Shared topic / Earlier coverage

    One-Third of MCP Servers Are Vulnerable — 492 Have Zero Authentication

    Both cover MCP, OAuth, SSRF; overlapping topics (client, server); earlier MCP coverage from 2026-03-14.

  3. MCP Authentication Crisis: The Numbers That Matter

    Both cover MCP, OAuth, PKCE; overlapping topics (server, token); earlier MCP coverage from 2026-02-23.

  4. Shared entities / Shared topic / Earlier coverage / Tension

    36.7% of scanned MCP servers are exposed to SSRF, 42% leak credentials

    Both cover MCP, SSRF; overlapping topics (credential, egress, server); earlier MCP coverage from 2026-07-07.

  5. Agent Security

    Both cover MCP, OAuth; overlapping topics (against, audit, server); earlier MCP coverage from 2026-02-22.

  6. Shared entities / Shared topic / Earlier coverage

    The MCP auth spec now wants delegation, not agent-owned API keys.

    Both cover MCP, OAuth; overlapping topics (audience, auth, server, token); earlier MCP coverage from 2026-06-29.

  7. Shared entities / Shared topic / Earlier coverage / Tension

    10 actionable skills from today's findings:

    Both cover MCP, SSRF; overlapping topics (server, token); earlier MCP coverage from 2026-03-22.

  8. Shared entities / Shared topic / Earlier coverage

    MCPwned: Azure MCP SSRF Chain Leads to Full Tenant Credential Takeover.

    Both cover MCP, SSRF; overlapping topics (credential, server, token); earlier MCP coverage from 2026-03-19.

Source trail

Entities

Claim evidence

  1. 40% of MCP servers require no authentication, audit finds

Provenance

Canonical issue
2026-07-08
AI generated
yes
Story unit
2026-07-08-harden-every-mcp-server-against-the-2026-baseline
Labels
source-backed, canonical briefing excerpt