TrendAI Audit Finds 4,982 Security Flaws Across 2,259 Public MCP Servers
AI relevance: MCP servers connect AI agents to terminals, databases, and files — a single compromised server exposes entire agentic workflows to attack.
Key Findings
- TrendAI crawled four major MCP directories (GitHub, Glama, Lobehub, PulseMCP) between November 2025 and March 2026, identifying 9,695 unique servers
- 5,832 servers showed some form of security weakness; after excluding 3,573 flagged solely for lacking authentication, 2,259 remained with confirmed vulnerabilities
- 4,982 documented issues span arbitrary file access (880), denial-of-service (490), command injection (476), SSRF (422), SQL injection (211), prompt injection (185), XSS (155), code injection (101), and authorization bypass (8)
- Popularity offers no protection: high-star servers had similar issue counts to low-star ones, but created larger blast radius when flaws existed
- Verification badges are unreliable: verified servers averaged nearly as many security issues as unverified ones
- Active maintenance didn't meaningfully improve security, though zero-commit repositories (likely forks/mirrors) showed highest average issue counts
- One developer released 40+ cryptocurrency-focused MCP servers without directory verification, resulting in 101 security issues across 13 servers including SSTI enabling full RCE and prompt injection altering agent behavior
- Office-automation servers contained code-injection flaws calling Python's
eval()directly, alongside path-traversal vulnerabilities in a document-handling server with 100+ stars - Commercial enterprise middleware vendors' servers contained SQL injection flaws exploitable via natural-language queries and unauthenticated Active Directory access enabling reconnaissance and privilege escalation
- Issues frequently clustered together (arbitrary file access + missing authentication), suggesting broad input validation gaps rather than one-off mistakes
Why It Matters
MCP servers are the connective tissue of agentic AI systems, bridging language models to external tools, data sources, and execution environments. When these servers contain vulnerabilities, attackers can hijack agent behavior, exfiltrate sensitive data, escalate privileges, or pivot to backend systems. The study debunks dangerous assumptions that popularity, active maintenance, or verification badges signal safety — all three proved unreliable as security indicators.
What to Do
- Audit all third-party MCP server code before deployment; do not rely on directory verification badges
- Enforce authentication and least-privilege access for every MCP integration
- Validate all inputs rigorously, especially natural-language queries that may be converted to SQL or shell commands
- Inspect MCP traffic in real time to detect anomalous tool calls or data exfiltration patterns
- Monitor for prompt injection attempts in tool descriptions and metadata
- Segment MCP servers from critical backend systems; treat them as untrusted zones