Top 5 · 2026-07-07 · source-backed
36.7% of scanned MCP servers are exposed to SSRF, 42% leak credentials
Story
BlueRock scanned over 7,000 MCP servers against 22-plus security rules. 36.7% carry potential server-side request forgery exposure from unrestricted outbound fetch, and 42% handle credentials insecurely. Their worked example is Microsoft's 85K-star Markitdown MCP server and its unbounded-fetch pattern. Source.
This is the finding that turns "MCP is risky" from a vibe into a number. We've spent months hand-waving about agent security. BlueRock put a denominator under it. Better than a third of the servers agents are connecting to right now will happily fetch whatever URL you feed them, which means an attacker who can influence a tool's input can make your agent reach into your internal network, hit your cloud metadata endpoint, and pull back secrets. SSRF is a 15-year-old bug class. It just got a new delivery mechanism that ships with an eager autonomous client attached.
And it's not theoretical this week. Unit 42 caught live campaigns hiding agent instructions in HTML body, JSON-LD, Open Graph tags, and off-screen CSS to trick browsing agents into sending crypto payments, with 4 of 26 tested models failing to act safely. Source. Sysdig documented JADEPUFFER, an LLM agent that drove an entire ransomware intrusion through a vulnerable Langflow instance. Source. The MCP exposure BlueRock measured is the static surface. Those two are the surface being actively worked.
What to do, concretely. Pin your MCP server dependencies. Bound every outbound fetch to an allowlist. Treat any tool that fetches a URL as an SSRF liability by default, not after an incident. If you run Markitdown or anything like it, put it behind egress controls that can't reach [redacted] or your internal ranges. And stop trusting URL-resolving tools with the same casualness you'd trust a pure-compute tool. The composability that makes MCP great is exactly the property that makes a compromised server a pivot point into everything the agent can touch. We solved this in web apps with egress filtering and SSRF guards years ago. The agent ecosystem is speedrunning the same mistakes with a bigger blast radius.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Same source / Shared topic / Earlier coverage
5,618 MCP Servers Scanned: 90% Unverified, 36.7% SSRF-Exposed, 37% Zero Auth
Both cover BlueRock, MCP, SSRF, URL; cite the same source (Source); overlapping topics (agent, security, server, ssrf).
Shared entities / Shared topic / Earlier coverage
8,000+ MCP Servers Exposed on Public Internet
Both cover BlueRock, MarkItDown MCP, Microsoft, SSRF; overlapping topics (bluerock, markitdown, server); earlier BlueRock coverage from 2026-03-03.
Shared entities / Shared topic / Earlier coverage / Tension
MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth
Both cover MCP, Microsoft, Treat; overlapping topics (security, server, tool); earlier MCP coverage from 2026-03-23.
Shared entities / Same source domain / Shared topic / Earlier coverage
MCP "sampling" is an untrusted prompt-injection channel, and most filters don't watch it.
Both cover LLM, MCP, Unit; reported by the same outlet (unit42.paloaltonetworks.com); overlapping topics (agent, server).
Shared entities / Shared topic / Earlier coverage / Tension
10 actionable skills from today's findings:
Both cover LLM, MCP, SSRF; overlapping topics (agent, server); earlier LLM coverage from 2026-03-22.
Shared entities / Same source / Shared topic / Earlier coverage
Unit 42: Indirect Prompt Injection Now Observed in the Wild.
Both cover HTML, Unit; cite the same source (Source); overlapping topics (agent, credential).
Shared entities / Shared topic / Earlier coverage
Windsurf prompt-injection RCE: attacker HTML can register a malicious MCP server.
Both cover HTML, MCP, Treat; overlapping topics (agent, fetch, server); earlier HTML coverage from 2026-06-05.
MCPwned: Azure MCP SSRF Chain Leads to Full Tenant Credential Takeover.
Both cover MCP, Microsoft, SSRF; overlapping topics (credential, server, ssrf); earlier MCP coverage from 2026-03-19.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — July 7, 2026
- AI generated
- no
- Story unit
- 2026-07-07-36-7-of-scanned-mcp-servers-are-exposed-to-ssrf-42-leak-credentials
- Labels
- source-backed, canonical briefing excerpt