arXiv: 40.55% of Remote MCP Servers Expose Tools Without Auth
AI relevance: Remote MCP servers are how AI agents reach your cloud services — when they run without auth, any caller can invoke privileged agent tools directly, turning your agent integrations into open attack surfaces.
Key Findings
- Researchers identified 7,973 live remote MCP servers across the internet. Of these, 40.55% expose tools without any authentication.
- Among authenticated servers, OAuth is the dominant mechanism. The study found three MCP-specific OAuth characteristics that create new attack surfaces: open client environments, dynamic client registration, and delegated authorization.
- A semi-automated detection framework tested 119 OAuth-enabled MCP servers and found every single server had at least one flaw — 325 total, with dynamic client registration affecting 96.6%.
- The taxonomy covers four categories and nine concrete flaw types, ranging from MCP-specific authentication gaps to conventional OAuth misconfigurations amplified by the MCP protocol design.
- Many flaws lead to sensitive information leakage and account takeover; responsible disclosure produced 9 CVE IDs.
Why It Matters
The MCP protocol was designed as a connector standard for AI agents to reach file systems, databases, APIs, and SaaS tools. Remote MCP servers extend this to cloud services (social, productivity, finance). When 40% of these servers expose tools without authentication, an attacker can simply call those tools directly — no user session, no OAuth flow, no credential required. Even among OAuth-protected servers, dynamic client registration allows attackers to register their own clients and obtain valid tokens. For organizations running AI agents with access to sensitive services, this means their tool integrations are essentially open doors.
What to Do
- Audit your MCP server deployments: verify every server enforces authentication before exposing tools.
- Disable dynamic client registration on OAuth-enabled MCP servers; use pre-registered, scoped client credentials.
- Apply zero-trust controls at the MCP tool integration layer — treat every MCP server as an untrusted third party.
- Implement monitoring for anomalous MCP tool invocation patterns from unknown clients.