Fetching from the wire…
Top 5 · 2026-07-18 · source-backed
A large-scale audit across popular MCP directories found security issues in 5,832 of 9,695 servers, with 2,259 containing exploitable vulnerabilities that go beyond simple auth gaps: arbitrary file access, command injection, SSRF, SQL injection. GBHackers has the writeup. A separate framework, MCPPrivacyDetector, found credentials, API keys, and PII leaking at rates over 10% across 10,000+ real-world servers.
The number that should change your behavior isn't 2,259. It's this: stars, repository activity, and verification badges did not reliably correlate with security posture.
That's the heuristic. That's the entire heuristic most of us use. You search for an MCP server, you sort by stars, you glance at last-commit date, you check for a checkmark, you install it. The audit says all four of those signals are uninformative about whether the thing has a command injection hole in it.
I've got a handful of MCP servers wired into my daily setup. I picked them exactly that way. I have not read the source of most of them. If you're honest, neither have you.
What makes this worse than a normal supply-chain problem is the trust position. An MCP server isn't a library you call with controlled inputs. It's a component you hand tool-call authority to, that runs with your credentials, in a loop, on content it fetched from somewhere. An SSRF in a random npm package is a bug. An SSRF in an MCP server your agent calls in a loop is a pivot into your network with a machine driving.
This didn't happen in isolation this week. The NSA published a Cybersecurity Information Sheet on MCP deployment naming the inverted client-server pattern, unverified task propagation, and arbitrary-code-execution exposure as structural risks rather than implementation bugs. JetStream Security shipped a governance layer that verifies third-party MCP server images before enterprise agents connect. Government guidance for a protocol barely a year old is a strong tell about where procurement gates land next: expect MCP allowlisting and provenance to become a checklist item at any company with a security review.
Actionable version, in order. One: list the MCP servers you actually have connected right now. Most people find one or two they forgot about. Two: for each, answer what credentials it can see and what network it can reach. Three: for anything that scores badly on both, read the source or drop it. Four: if you ship an MCP server, document your tool descriptions' trust assumptions now, because taint-style attacks via tool descriptions are an active research area (arXiv 2607.07461) and you'll be asked.
I don't think most people will do any of this. The friction is real and the payoff is invisible. But the gap between "9,695 servers audited" and "23% exploitable" is a number that'll show up in an incident report eventually.
Each link below shares sources, entities, or timing with this story.
Trend Micro criticizes MCP / Shared entities / Shared topic / Earlier coverage
Linked by a graph relationship (Trend Micro criticizes MCP); both cover MCP, SSRF; overlapping topics (agent, found, have, security, server).
BlueRock criticizes MCP / Shared entities / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (BlueRock criticizes MCP); both cover MCP, SSRF; overlapping topics (agent, credential, security, server, ssrf).
Cursor uses MCP / Shared entity: MCP / Same source domain / Shared topic / Earlier coverage
Linked by a graph relationship (Cursor uses MCP); both cover MCP; reported by the same outlet (arxiv.org).
Anthropic released MCP / Shared entities / Same source domain / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (Anthropic released MCP); both cover MCP, SSRF; reported by the same outlet (arxiv.org).
Anthropic released MCP / Shared entity: MCP / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (Anthropic released MCP); both cover MCP; overlapping topics (description, found, have, injection, security).
OWASP released MCP / Shared entities / Shared topic / Earlier coverage
Linked by a graph relationship (OWASP released MCP); both cover MCP, SSRF; overlapping topics (agent, found, security, server, ssrf).
OX Security criticizes MCP / Shared entity: MCP / Same source domain / Shared topic / Earlier coverage
Linked by a graph relationship (OX Security criticizes MCP); both cover MCP; reported by the same outlet (adversa.ai).
Adversa AI criticizes MCP / Shared entity: MCP / Same source domain / Shared topic / Earlier coverage
Linked by a graph relationship (Adversa AI criticizes MCP); both cover MCP; reported by the same outlet (adversa.ai).