Public story · 2026-03-14 · source-backed
One-Third of MCP Servers Are Vulnerable — 492 Have Zero Authentication
Story
The agent skills threat isn't isolated. The infrastructure layer is equally compromised.
The Cloud Security Alliance's March 13 State of Cloud and AI Security report analyzed over 7,000 MCP servers and found 36.7% potentially vulnerable to server-side request forgery (SSRF). Independently, Trend Micro found 492 MCP servers running with zero client authentication and zero traffic encryption. Not weak authentication — none.
This is dual-source convergence from two independent security organizations reaching the same conclusion: the MCP ecosystem's security posture is catastrophically immature. When a protocol designed to give agents access to external systems is deployed without authentication on 7% of servers, and vulnerable to SSRF on 37%, you don't have an ecosystem — you have an attack surface.
The pattern is familiar. Researchers warn it mirrors early OAuth misconfigurations that led to widespread credential theft in 2013–2015. The difference: OAuth protected user accounts; MCP protects agent access to tools, databases, APIs, and infrastructure. A compromised MCP server doesn't leak a password — it gives an attacker the ability to execute arbitrary tool calls through an agent with elevated privileges.
The timing couldn't be worse. MCP adoption is accelerating rapidly — CrewAI 1.10.1 just shipped triple-transport MCP support, and every major agent framework is racing to be "MCP-native." Builders are standing up servers as fast as they can, and security hardening is an afterthought when it's a thought at all.
Minimum viable hygiene: add client authentication to every MCP server today. Enable TLS. Validate all tool inputs against SSRF patterns. If your MCP server is reachable from the public internet without auth, you are running an open relay for agent actions. Stop.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / What happened next
Most public MCP servers skip authentication entirely
Both cover APIs, MCP, OAuth, SSRF; overlapping topics (access, client, server, tool); picks up the APIs thread on 2026-07-01.
5,618 MCP Servers Scanned: 90% Unverified, 36.7% SSRF-Exposed, 37% Zero Auth
Both cover MCP, SSRF; overlapping topics (agent, found, security, server, ssrf); picks up the MCP thread on 2026-03-22.
Salesforce Just Made Its Entire Platform Into Agent Tooling. No Browser Required.
Both cover APIs, MCP, When; overlapping topics (agent, server, tool); picks up the APIs thread on 2026-04-22.
Shared entities / Shared topic / Earlier coverage / Tension
MCP Ecosystem Crosses 10,000 Servers Under Linux Foundation Governance
Both cover APIs, MCP; overlapping topics (agent, client, ecosystem, server); earlier APIs coverage from 2026-02-23.
Agent Security
Both cover MCP, OAuth; overlapping topics (agent, security, server, tool); earlier MCP coverage from 2026-02-22.
Shared entities / Shared topic / What happened next
380,000 Vibe-Coded Apps Are Live on the Internet. 5,000 Are Leaking Your Medical Records.
Both cover MCP, Researchers, Trend Micro; overlapping topics (authentication, tool); picks up the MCP thread on 2026-05-10.
Anthropic Published the Claude Code Post-Mortem Everyone Needed. Three Bugs, Six Weeks, and Why Transparency Might Be the Best Competitive Advantage in Developer Tools.
Both cover March, MCP, When; overlapping topics (agent, tool); picks up the March thread on 2026-04-24.
Shared entity: MCP / Shared topic / What happened next / Tension
MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth
Both cover MCP; overlapping topics (authentication, found, have, security, server); picks up the MCP thread on 2026-03-23.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent
- AI generated
- no
- Story unit
- 2026-03-14-one-third-of-mcp-servers-are-vulnerable-492-have-zero-authentication
- Labels
- source-backed, canonical briefing excerpt