Vibe Coding
Pattern: MCP Security Reaches Crisis Point — 43% of Public Servers Vulnerable, First In-the-Wild Exploit Lands
MCPwn (CVE-2026-33032) marks the first major MCP exploit actively exploited in the wild, but it's the tip of the iceberg: April 2026 research found 43% of public MCP servers vulnerable to command execution, and Microsoft's @azure-devops/mcp npm package shipped without authentication on sensitive endpoints. The MCP spec now mandates OAuth 2.1 with incremental scope consent, but adoption lags. Builders adding MCP servers should audit auth on every endpoint, not just the primary ones.
Source
↳ Follow the thread