The Model Context Protocol logged 95 CVEs in 2025. The year before: effectively zero. Trend Micro’s TrendAI State of AI Security Report tracked the spike across 6,086 total AI-related CVEs, and MCP servers stand out as the single fastest-growing category. Then January and February 2026 added 30 more. The protocol that was supposed to give AI agents safe, structured access to tools and data has instead become the widest-open door in the AI stack.
This is not about any single bug. It is about a protocol that reached 10,000+ public server implementations before its security model caught up. The breach data tells the story.
The Numbers: From Zero to 95 in One Year
Before 2025, MCP did not have a meaningful CVE count. The protocol was announced in November 2024 and spent its first months as an interesting specification with a handful of reference implementations. By year-end 2025, it had 95 tracked CVEs, accounting for 1.7% of all AI-related vulnerabilities recorded that year.
The breakdown by attack class, drawn from Endor Labs’ analysis of 2,614 MCP implementations, is dominated by old enemies:
- 43% exec/shell injection (CWE-78, CWE-94)
- 36.7% Server-Side Request Forgery (SSRF)
- 10% path traversal (CWE-22)
- 7% Cross-Site Scripting (CWE-79)
- 6% SQL injection (CWE-89)
These are not novel AI-specific attack classes. They are the same vulnerability categories that OWASP has documented for two decades. The difference: MCP’s architecture passes LLM-generated strings to system operations by design, turning every unvalidated input into a potential injection vector.
Trend Micro forecasts 2,800 to 3,600 AI-related CVEs in 2026, a 31-69% increase over the 2,130 recorded in 2025. MCP servers are expected to see the steepest year-over-year growth within that total.
Why These Are Not Just “Theoretical” Bugs
Equixly’s independent audit found that 30% of popular MCP implementations are vulnerable to SSRF attacks. Not theoretically vulnerable: actually exploitable, with working proof-of-concept code. The Microsoft MarkItDown MCP Server had an unpatched SSRF that enabled AWS EC2 metadata exploitation and cloud credential theft. The mcp-fetch-server shipped with a CVSS 9.3 bug where is_ip_private() could be bypassed to reach internal network services.
And Astrix Security’s research on the credential gap makes it worse: 88% of MCP servers require credentials, but 53% use static API keys, only 8.5% implement OAuth, and 38-41% lack any authentication mechanism at all.
The Breach Timeline: 10 Incidents That Define MCP’s Security Year
Individual CVEs are abstract. The incidents they enable are not. Here is the timeline of major MCP security breaches, compiled from AuthZed’s breach tracker and vendor disclosures.
April 2025: WhatsApp MCP Exfiltration
Invariant Labs demonstrated that a malicious MCP server could silently exfiltrate a user’s entire WhatsApp history through tool poisoning. The attack combined a poisoned MCP server with the legitimate whatsapp-mcp server: hundreds of personal messages, business conversations, and customer data forwarded to an attacker-controlled number. The user saw nothing unusual.
May 2025: GitHub MCP Prompt Injection
A malicious public GitHub issue hijacked an AI assistant via the official GitHub MCP server. Private repository contents, internal project details, and personal financial information ended up in a public pull request. The root cause: an over-privileged Personal Access Token combined with zero input sanitization on issue content flowing into the MCP context.
June 2025: Anthropic MCP Inspector RCE
CVE-2025-49596. Unauthenticated remote code execution through the MCP Inspector’s proxy architecture. An attacker could access the entire filesystem, API keys, and environment secrets on developer workstations. The Inspector was supposed to be a debugging tool; instead, it became an entry point.
July 2025: mcp-remote Supply Chain Backdoor
CVE-2025-6514, CVSS 9.6. JFrog disclosed a critical command injection in the OAuth proxy component of mcp-remote, a package with 437,000+ downloads. Malicious MCP servers could achieve remote code execution on any client that connected. The bug affected integration guides from Cloudflare, Hugging Face, and Auth0. Effectively a supply chain backdoor through a widely recommended dependency.
August 2025: Anthropic Filesystem MCP Sandbox Escape
CVE-2025-53109 and CVE-2025-53110. Sandbox escape and symlink/containment bypass in Anthropic’s official Filesystem MCP Server. An attacker could break out of the designated directory and access arbitrary files or execute arbitrary code. The irony: the --repository flag designed to restrict access did not actually restrict access.
September 2025: Postmark MCP Supply Chain Poisoning
A fake “Postmark MCP Server” package on npm injected BCC copies of all email communications to an attacker’s server. Memos, invoices, confidential documents: everything sent through the agent got duplicated. The package looked legitimate, had a plausible name, and went undetected until a security researcher noticed unusual SMTP traffic.
October 2025: Smithery Hosting Platform Breach
GitGuardian found a path-traversal bug in smithery.yaml that leaked ~/.docker/config.json, including a Fly.io API token controlling 3,000+ apps. Inbound client traffic containing API keys and secrets was interceptable. One misconfigured YAML file compromised an entire hosting platform.
October 2025: Figma/Framelink MCP Command Injection
CVE-2025-53967. Command injection via unsanitized user input passed to shell commands in the Framelink MCP server for Figma. 600,000+ downloads affected. The vulnerability pattern was trivial: user-controlled strings concatenated into shell commands without escaping.
January 2026: Anthropic Git MCP Server Triple CVE
CVE-2025-68143, CVE-2025-68144, CVE-2025-68145. Three vulnerabilities in Anthropic’s reference Git implementation enabling path validation bypass, unrestricted git_init, and argument injection. Chained together, they achieve full remote code execution through a malicious .git/config. Anthropic’s fix for the git_init bug was to remove the tool entirely.
February 2026: Asana MCP Cross-Tenant Data Leak
An access control flaw in the Asana MCP integration allowed cross-tenant data visibility. Projects, teams, and task details from one customer were potentially visible to a different customer’s agents. Multi-tenancy, always hard, turns out to be even harder when AI agents are making the requests.
Why MCP Is Architecturally Vulnerable
These breaches are not random. They stem from structural properties of how MCP works.
Command injection by design. MCP’s core purpose is passing instructions from an LLM to system operations. Every tool invocation is, at its foundation, an LLM-generated string being executed by a server. Without rigorous input validation at every boundary, injection is not a bug but a feature of the architecture.
Tool mutation after installation. Unit 42 at Palo Alto Networks documented that MCP tools can change their own definitions after installation. A tool that looks safe during review can reroute API keys to an attacker a week later. Traditional AppSec assumes that reviewed code stays reviewed. MCP breaks that assumption.
Sampling inversion of control. MCP servers can initiate sampling requests back to the client, effectively becoming prompt authors. A server that can request LLM completions has deep influence over what the model sees and produces, a vector Unit 42 demonstrated with three working exploits.
The 86% local deployment problem. Astrix’s data shows 86% of MCP servers run locally with full user privileges. They are not sandboxed, not containerized, not monitored. They run with whatever permissions the developer’s machine has, which in most cases is everything.
Explosive, ungoverned growth. MCP went from 3 implementations in October 2024 to over 10,000 public servers by early 2026. During peak adoption in 2025, up to 1,021 new servers appeared in a single week. The ecosystem grew faster than any security review process could follow. In a typical 10,000-person organization, Astrix estimates 15.28% of employees run an average of 2 MCP servers each, creating 3,056 ungoverned deployment points.
What Changed in November 2025 (and What Did Not)
On MCP’s first anniversary, Anthropic released a major specification update adding OAuth 2.1 authorization, PKCE requirements, Dynamic Client Registration, and mandatory Protected Resource Metadata (RFC 9728). MCP servers no longer issue access tokens directly; dedicated authorization servers handle all token management.
In March 2026, Anthropic donated MCP to the Agentic AI Foundation under Linux Foundation governance, signaling that the protocol’s security evolution would be a community effort rather than a single-vendor responsibility.
These are meaningful steps. They are also late.
The November spec update came after nine months of breaches and nearly 100 CVEs. The OAuth 2.1 mandate is good, but the 8.5% OAuth adoption rate shows how far the installed base is from compliance. The Anthropic reference SQLite MCP server, forked over 5,000 times before Anthropic archived it with no patch, still lives on in thousands of downstream implementations with its SQL injection vulnerability intact.
The OWASP MCP Top 10 and Adversa AI’s MCP Security TOP 25 provide taxonomies. The SlowMist MCP Security Checklist provides operational guidance. The Vulnerable MCP Project tracks 50 known vulnerabilities across 8 categories. The tooling and frameworks exist. The gap is adoption.
What the Trend Data Says About 2026
Trend Micro’s projection of 2,800-3,600 AI CVEs this year is not a scare number. It is a linear extrapolation from what already happened. MCP’s share within that total will almost certainly grow, because two things are true simultaneously: adoption is accelerating and the installed base of insecure servers is not shrinking.
The 518 official MCP servers in the registry as of February 2026 represent the governed surface. The 10,000+ public implementations on GitHub represent the actual surface. The 3,000+ ungoverned deployments in a typical enterprise represent the invisible surface.
If you are running MCP servers in production, the minimum viable security posture is: OAuth 2.1 with PKCE (not static keys), containerized isolation (not local processes), per-tool authorization scopes (not blanket access), and continuous monitoring of tool description changes. The OWASP Practical Guide for Secure MCP Server Development and the MCP Official Security Best Practices are the reference starting points.
The protocol is not broken. But the gap between what MCP enables and what the ecosystem secures is, right now, the largest unresolved risk in production AI infrastructure.
Frequently Asked Questions
How many CVEs have been filed against MCP implementations?
Trend Micro’s TrendAI report tracked 95 MCP-related CVEs in 2025 alone, up from near zero in prior years. An additional 30+ CVEs were filed in January and February 2026. The majority are injection vulnerabilities (43% exec/shell injection), followed by SSRF (36.7%) and path traversal (10%).
What percentage of MCP servers are vulnerable to SSRF?
Equixly’s independent audit found that 30% of popular MCP implementations are vulnerable to SSRF attacks with working proof-of-concept exploits. Broader analysis across 2,614 implementations puts the figure at 36.7% exposed to SSRF vulnerabilities.
What was the worst MCP security breach in 2025?
The mcp-remote command injection (CVE-2025-6514, CVSS 9.6) in July 2025 was arguably the most impactful. It affected a package with 437,000+ downloads and was recommended by Cloudflare, Hugging Face, and Auth0 integration guides. Malicious MCP servers could achieve remote code execution on any client that connected.
Why is MCP particularly vulnerable compared to other protocols?
MCP passes LLM-generated strings to system operations by design, creating inherent injection risk. Additional factors: tools can mutate their definitions after installation, 86% of servers run locally with full user privileges, 38-41% lack any authentication, and adoption grew from 3 implementations to 10,000+ in 13 months with minimal security review.
How can I secure my MCP deployment?
The minimum viable security posture includes: OAuth 2.1 with PKCE instead of static API keys, containerized server isolation, per-tool authorization scopes, and continuous monitoring of tool description changes. The OWASP Practical Guide and the MCP Official Security Best Practices are the recommended starting points.