Dev.to — MCP Server Audit Finds 66% Have Critical Vulnerabilities

AI relevance: MCP servers provide the tool layer that LLM agents use to interact with systems — security flaws in these servers translate directly to agent compromise (RCE, data exfiltration, credential theft).

• Yedan Yagami built and deployed 9 MCP servers on Cloudflare Workers, then audited them using the OWASP Agentic AI Top 10 framework.
• The audit found that 66% of MCP servers have critical vulnerabilities, with shell/command injection being the most prevalent at 43%.
• 30 CVEs were filed against MCP servers in January-February 2026 alone, indicating rapid growth of security issues in the ecosystem.
• The average security score was 34/100 across all audited servers.
• Key vulnerability categories found:
  • Shell/Command Injection (43%) — user input passed directly to shell commands
  • Tooling Infrastructure Gaps (20%) — missing security controls
  • Authentication Bypass (13%) — weak or missing authentication
  • Path Traversal (10%) — insufficient path validation
  • Prompt Injection via Tools (8%) — malicious instructions in tool descriptions
  • Data Exfiltration (6%) — unrestricted network access
• A particularly concerning finding: 84.2% of tool poisoning attacks succeed when auto-approval is enabled (per Trend Micro research).
• The author developed a 30-item security checklist covering all vulnerability categories with severity ratings and remediation code examples.

Why it matters

• MCP has exploded with 97 million monthly SDK downloads and adoption by every major AI company — making server security critical infrastructure.
• Shell injection vulnerabilities mean an AI agent could be tricked into executing arbitrary commands like rm -rf / through seemingly benign tool calls.
• Prompt injection via tool descriptions allows malicious servers to hijack agent behavior by embedding instructions in tool metadata.
• The lack of standard security scanning infrastructure for MCP servers creates a supply chain risk for AI agent deployments.

What to do

• Implement input sanitization: Use parameterized execution instead of string concatenation for shell commands.
• Scan tool descriptions: Check for prompt injection patterns in MCP tool metadata before deployment.
• Use OAuth 2.1 + PKCE: Follow MCP spec recommendations for secure authentication.
• Restrict network egress: Whitelist domains that MCP tools can connect to prevent data exfiltration.
• Bind to localhost only: Avoid exposing MCP servers to external networks unless absolutely necessary.
• Audit existing servers: Use the 30-item checklist to evaluate your current MCP deployments.

Sources

• Dev.to — I Audited 9 MCP Servers and Found Critical Vulnerabilities
• OWASP MCP Top 10
• OWASP Practical Guide for Secure MCP Server Development
• MCP Specification (2025-11-25)