OWASP MCP Top 10 — 38% of MCP Servers Have No Authentication, 30+ CVEs in 60 Days
AI relevance: The Model Context Protocol is the connective tissue between LLMs and enterprise tools — 38% of deployed MCP servers have zero authentication, meaning AI agents are exposing internal tool inventories and capabilities to unauthenticated attackers.
OWASP's new MCP Top 10 paints a stark picture of security maturity in the Model Context Protocol ecosystem. A scan of 500+ MCP servers found 38% running with no authentication at all. In the 60 days since the list was published, 30+ CVEs have been filed against MCP implementations.
- The highest severity CVE reached CVSS 9.6 (CVE-2025-6514, the mcp-remote command injection affecting 437,000+ downloads).
- A STDIO vulnerability (CVE-2026-30623) enables remote code execution across every official MCP SDK — Python, TypeScript, Java, and Rust.
- The STDIO flaw impacts an estimated 200,000+ vulnerable instances across 7,000+ public servers, with 150M+ total downloads affected.
- Of 2,614 MCP implementations surveyed, 82% use file operations vulnerable to path traversal.
- Research documented a Denial-of-Wallet (DoW) attack where a malicious MCP server induces the LLM into a recursive reasoning loop, amplifying token consumption by 142.4x.
- Four architectural factors make MCP's attack surface wider than standard APIs: bidirectional communication (servers can query the LLM back), multi-tool sessions, natural language control via tool descriptions, and high-privilege access to filesystems, databases, and external APIs.
- Microsoft researchers characterize the risk as "keys to the kingdom" — one compromised MCP server can grant access to everything connected to the same session.
Why it matters
MCP is becoming the default protocol for connecting AI agents to enterprise systems. The authentication gap (38% with zero auth) means attackers can enumerate internal tool inventories, identify high-value targets, and potentially execute commands through poisoned tool descriptions — all without any credentials.
What to do
- Audit every MCP server in your deployment: verify authentication is enabled and enforce it.
- Version-pin MCP servers and review their permissions — treat them like software dependencies, not harmless plugins.
- Implement output validation for tool responses; don't trust tool output implicitly just because it came from a registered tool.
- Put human approval in front of irreversible actions (code changes, data writes, infrastructure modifications).
- Review the OWASP MCP Top 10 for your specific implementation: owasp.org/www-project-mcp-top-10