← The Wire

Top 5 · 2026-02-22 · source-backed

Bitdefender Quantifies MCP Security Crisis: 53% Static Credentials, 8.5% OAuth

Confidence
source-backed
Sources
1
Redaction
redacted

Story

Bitdefender published the most alarming MCP security metric to date: 53% of open-source MCP server implementations rely on insecure static credentials while only 8.5% use OAuth. The report identifies five risk categories: opt-in (not default) security, supply chain poisoning, over-permissioned tokens/confused deputy, injection attacks, and absent audit logging. Two specific CVEs cited: CVE-2025-6514 (CVSS 9.6 RCE in mcp-remote) and CVE-2025-32711 ("EchoLeak" silent data exfiltration via Microsoft 365 Copilot). Builder takeaway: Audit your MCP servers TODAY. Replace static credentials with OAuth. Bitdefender

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Shared topic / What happened next / Tension

    MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth

    Both cover Audit, CVE, CVEs, CVSS; overlapping topics (chain, security, server); picks up the Audit thread on 2026-03-23.

  2. Shared entities / Shared topic / What happened next

    The Agent Security Crisis Is Here: 36% of ClawHub Skills Malicious, 30+ MCP CVEs, RCE in Microsoft Agent Framework

    Both cover Audit, CVE, CVEs, CVSS; overlapping topics (attack, audit, chain); picks up the Audit thread on 2026-03-05.

  3. Shared entities / Same source / Shared topic / What happened next

    MCP Authentication Crisis: The Numbers That Matter

    Both cover Bitdefender, Builder, MCP, OAuth; cite the same source (Bitdefender); overlapping topics (attack, builder, chain, oauth, server).

  4. Shared entities / Shared topic / What happened next

    The MCP supply chain has a hole in the floor, and it's being exploited right now

    Both cover Audit, CVE, CVEs, CVSS; overlapping topics (chain, server); picks up the Audit thread on 2026-06-17.

  5. Shared entities / Same source / Shared topic

    Bitdefender MCP Security Deep Dive

    Both cover Bitdefender, CVEs, MCP, OAuth; cite the same source (Bitdefender); overlapping topics (bitdefender, category, security).

  6. Shared entities / Shared topic / What happened next

    CISA Confirms: Your AI Security Scanner Got Backdoored. Federal Deadline Is April 8.

    Both cover Audit, CVE, CVEs, Replace; overlapping topics (attack, chain, credential, security); picks up the Audit thread on 2026-03-28.

  7. IDEsaster: 100% of Tested AI IDEs Vulnerable to Prompt Injection → RCE

    Both cover Builder, CVE, CVEs, RCE; overlapping topics (attack, builder, chain, copilot); picks up the Builder thread on 2026-02-27.

  8. CVE-2026-33010: Any Website Can Read and Delete Your Agent's Memories

    Both cover CVE, CVEs, CVSS, MCP; overlapping topics (attack, audit, security); picks up the CVE thread on 2026-03-21.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-02-22-bitdefender-quantifies-mcp-security-crisis-53-static-credentials-8-5-oauth
Labels
source-backed, canonical briefing excerpt