By Censys scanned the public internet and found 12,520 Model Context Protocol services sitting there, exposed. Roughly 40 percent have zero authentication. Academic researchers separately audited 39,884 open-source MCP server repositories using a purpose-built tool called VIPER-MCP and found 106 confirmed zero-day vulnerabilities, 67 of which now have CVE IDs. When NSA publishes a 15-page security guidance document about a developer protocol, the theoretical risk phase is over.
The Numbers Are Not Theoretical
Knostic manually verified 119 of those exposed servers. Every single one allowed unauthenticated access to its tool listing — no credentials, no token, no challenge. Just a GET request to /tool/list and you have a full inventory of what the server can do. Trend Micro’s April 2026 follow-up found that the number of cloud-hosted exposed MCP servers tripled from 492 to 1,467 since their July 2025 report. That is not a plateau; that is acceleration.
Of the 492 servers Trend Micro catalogued, at least 8 directly manage cloud provider resources — they can list, create, modify, and delete infrastructure. And 74 percent are hosted on AWS, Azure, GCP, or Oracle. Your “internal tool” is running in the cloud with a publicly accessible port and no front door.
What VIPER-MCP Found
The VIPER-MCP paper (published May 20, 2026) is the most rigorous security audit the MCP ecosystem has received. Researchers used two-pass static analysis to find taint-style vulnerabilities — places where user-controlled input flows, unsanitized, into shell execution, network requests, or file system operations. They then generated working proof-of-concept prompts to confirm exploitability end-to-end.
Out of 39,884 open-source MCP server repositories, they found 106 zero-days. These are not edge cases in obscure servers; they are in packages developers install and run. This is the supply chain problem that makes the authentication gap worse: even if your deployment has auth, the server code itself may be exploitable.
The Blast Radius Is Bigger Than You Think
Researchers demonstrated the real-world stakes against Microsoft’s MarkItDown MCP server: they retrieved AWS IAM access keys, secret keys, and session tokens from an EC2 instance’s metadata endpoint. The MCP server was the pivot point — not the cloud infra itself. One misconfigured server became a gateway to the entire AWS environment it operated in.
Akamai disclosed separate flaws: SQL injection in the Apache Doris MCP server, an unauthenticated metadata-exfiltration vulnerability in Alibaba’s RDS MCP, and a potential takeover in Apache Pinot’s MCP (which runs on plain HTTP with no auth layer by default). These are not toy projects. These are integrations developers deploy in production.
Having Auth Is Not Enough
Of the servers that do enforce some form of authentication, 53 percent use static API keys. A static API key has no expiration, no per-operation scope, and in most implementations gets shared across all callers — human or agent. A single leaked key compromises every system that server connects to, with no way to scope the damage.
The correct approach, per the MCP spec and convergent guidance from Red Hat, Descope, and Stacklok, is OAuth 2.1 for HTTP-based transports. Per-request identity. Short-lived tokens scoped per service. Automatic rotation. Most deployed servers are nowhere near this.
NSA and OWASP Have Both Shown Up
In May 2026, the NSA published Model Context Protocol: Security Design Considerations for AI-Driven Automation — fifteen pages covering the minimum baseline the agency considers acceptable for production MCP deployments. The three non-negotiables: no static service accounts, minimum-scope access, and a curated internal registry where every MCP server is vetted and signed before it runs.
OWASP published its Practical Guide for Secure MCP Server Development in parallel, with the OWASP MCP Top 10 now being mapped directly to NSA requirements. When two of the most credible security institutions in the world publish coordinated guidance on the same protocol in the same month, that is a signal worth taking seriously.
What to Do Now
Four steps in order of urgency:
- Audit what you are running. Use Shodan or Censys to check if your MCP server is publicly accessible. If you do not know, assume it is.
- Add auth or take it offline. No authentication means attackers can enumerate your tools in seconds. If you cannot implement OAuth 2.1 immediately, require a bearer token at minimum and rotate it weekly.
- Scope your permissions down. The MCP server should access only what it needs — not blanket database admin, not wildcard S3 access. Treat it like any other service account.
- Pin and update your server versions. VIPER-MCP found 106 zero-days in open-source packages. Check your MCP server’s CVE history. Treat it as a dependency you actively maintain, not a binary you deploy once and forget.
The MCP security curve is following the same arc as early cloud and early API security: rapid adoption, insecure defaults, lagging awareness, then institutional pressure forcing baseline standards. The Trend Micro research shows the exposed surface growing, not shrinking. The NSA guidance and OWASP Top 10 are that institutional pressure arriving. Developers who get ahead of it now will spend considerably less time explaining to stakeholders how their AI agent leaked production credentials.
