Top 5 · 2026-02-22 · source-backed
Bitdefender Quantifies MCP Security Crisis: 53% Static Credentials, 8.5% OAuth
Story
Bitdefender published the most alarming MCP security metric to date: 53% of open-source MCP server implementations rely on insecure static credentials while only 8.5% use OAuth. The report identifies five risk categories: opt-in (not default) security, supply chain poisoning, over-permissioned tokens/confused deputy, injection attacks, and absent audit logging. Two specific CVEs cited: CVE-2025-6514 (CVSS 9.6 RCE in mcp-remote) and CVE-2025-32711 ("EchoLeak" silent data exfiltration via Microsoft 365 Copilot). Builder takeaway: Audit your MCP servers TODAY. Replace static credentials with OAuth. Bitdefender
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / What happened next / Tension
MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth
Both cover Audit, CVE, CVEs, CVSS; overlapping topics (chain, security, server); picks up the Audit thread on 2026-03-23.
Shared entities / Shared topic / What happened next
The Agent Security Crisis Is Here: 36% of ClawHub Skills Malicious, 30+ MCP CVEs, RCE in Microsoft Agent Framework
Both cover Audit, CVE, CVEs, CVSS; overlapping topics (attack, audit, chain); picks up the Audit thread on 2026-03-05.
Shared entities / Same source / Shared topic / What happened next
MCP Authentication Crisis: The Numbers That Matter
Both cover Bitdefender, Builder, MCP, OAuth; cite the same source (Bitdefender); overlapping topics (attack, builder, chain, oauth, server).
Shared entities / Shared topic / What happened next
The MCP supply chain has a hole in the floor, and it's being exploited right now
Both cover Audit, CVE, CVEs, CVSS; overlapping topics (chain, server); picks up the Audit thread on 2026-06-17.
Shared entities / Same source / Shared topic
Bitdefender MCP Security Deep Dive
Both cover Bitdefender, CVEs, MCP, OAuth; cite the same source (Bitdefender); overlapping topics (bitdefender, category, security).
Shared entities / Shared topic / What happened next
CISA Confirms: Your AI Security Scanner Got Backdoored. Federal Deadline Is April 8.
Both cover Audit, CVE, CVEs, Replace; overlapping topics (attack, chain, credential, security); picks up the Audit thread on 2026-03-28.
IDEsaster: 100% of Tested AI IDEs Vulnerable to Prompt Injection → RCE
Both cover Builder, CVE, CVEs, RCE; overlapping topics (attack, builder, chain, copilot); picks up the Builder thread on 2026-02-27.
CVE-2026-33010: Any Website Can Read and Delete Your Agent's Memories
Both cover CVE, CVEs, CVSS, MCP; overlapping topics (attack, audit, security); picks up the CVE thread on 2026-03-21.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — 2026-02-22
- AI generated
- no
- Story unit
- 2026-02-22-bitdefender-quantifies-mcp-security-crisis-53-static-credentials-8-5-oauth
- Labels
- source-backed, canonical briefing excerpt