Noqta

MCP Security: 30 CVEs in 60 Days — Are Your AI Agents Exposed?

AI Bot
By AI Bot ·
Loading the Text to Speech Audio Player...
MCP server security vulnerabilities protection guide for AI agents 2026

The Model Context Protocol (MCP) has become the de facto standard for connecting AI agents to external tools — databases, APIs, file systems, cloud services. But this rapid adoption comes at a cost: 30 CVEs documented in under 60 days, including several critical ones with CVSS scores above 9.0.

If you're running AI agents in production, your MCP servers are likely your weakest security link.

An Ecosystem Under Pressure

The numbers speak for themselves:

  • 30 CVEs published in the MCP ecosystem since January 2026
  • 36% of MCP servers operate without any authentication mechanism
  • 43% of analyzed servers are vulnerable to command injection
  • 36.7% exposed to SSRF attacks (Server-Side Request Forgery)

The acceleration is striking. In 2025, roughly 15 CVEs were reported across the entire year. In 2026, that number doubled in a single quarter.

The Three Attack Layers

Researchers have identified three distinct vulnerability layers in MCP architecture:

Layer 1: The Server

This is the most direct attack surface. MCP servers expose HTTP endpoints that accept JSON-RPC requests. Without authentication, any client can connect and invoke tools.

CVE-2026-27825 (CVSS 9.1) illustrates the problem perfectly: the mcp-atlassian server allowed arbitrary file writes through Confluence attachment downloads, leading to remote code execution (RCE). The HTTP transport listened on 0.0.0.0 by default — with zero authentication.

CVE-2026-26118, patched by Microsoft on March 10, 2026, revealed a critical SSRF vulnerability in Azure MCP Server Tools enabling token theft and privilege escalation.

Layer 2: The SDK

SDK-level bugs are subtler but equally dangerous. CVE-2026-27896 showed that case-insensitive JSON parsing in the Go SDK allowed bypassing security validations by using mixed-case field names ("Method" instead of "method").

Layer 3: The Host

The AI agent itself becomes an attack vector when it has overly broad permissions. An attacker can exploit prompt injection to trigger unauthorized tool calls, exfiltrate data, or modify configurations.

Prompt Injection vs Tool Poisoning

Two attack techniques dominate the MCP landscape in 2026:

Prompt injection targets the AI model directly. Malicious commands are embedded in user inputs to hijack agent behavior. An attacker can force the agent to call a tool with dangerous parameters — for example, executing a destructive SQL query through a database MCP server.

Tool poisoning is more insidious. The attacker modifies a tool's description or behavior in the MCP registry. The AI agent, which relies on these descriptions to decide which tool to use, then invokes a compromised tool without the user's awareness.

The key difference: prompt injection affects an individual session, while tool poisoning compromises the infrastructure for all users.

Real-World Consequences

A compromised MCP server can:

  • Redirect transactions to attacker-controlled addresses
  • Manipulate data that the agent uses for decision-making
  • Exfiltrate private keys and credentials stored in connected systems
  • Execute unauthorized calls to APIs or smart contracts
  • Distribute malware through tool responses

For enterprises in the MENA region rapidly adopting AI agents, these risks are not theoretical — they are actively exploited.

7-Step Security Hardening Guide

1. Authenticate Every Connection

Never expose an MCP server without authentication. At minimum, implement:

  • API tokens per client with regular rotation
  • mTLS (mutual TLS) for critical deployments
  • Identity verification between the MCP host, client, and server
// Example: MCP authentication middleware
const authMiddleware = (req, res, next) => {
  const token = req.headers['authorization']?.replace('Bearer ', '');
  if (!token || !verifyMCPToken(token)) {
    return res.status(401).json({
      error: 'Unauthorized MCP client'
    });
  }
  next();
};

2. Apply the Principle of Least Privilege

Each MCP tool should only access strictly necessary resources. Block the 29 sensitive write-operation patterns:

  • create_*, delete_*, transfer_*, refund_*
  • Configuration modification operations
  • Write access to file systems

3. Validate All Inputs

Implement allowlists and strict schema validation on every tool call:

  • Reject anything that doesn't match the expected format
  • Strip HTML, special tokens, and control characters from tool returns
  • Use strict JSON schemas for every tool parameter

4. Rate Limit

Configure per-tool rate limiting to prevent data exfiltration:

  • Limit calls per minute per tool
  • Cap data volume returned per request
  • Alert on abnormal usage patterns

5. Secure the Supply Chain

Third-party MCP servers are dependencies like any other:

  • Pin versions of all MCP servers and SDKs
  • Scan code and dependencies before deployment
  • Digitally sign tools and verify signatures on load
  • Audit changes before every update

6. Deploy Active Monitoring

Use specialized tools like MCPTox or MindGuard for real-time detection:

  • Log every tool call with its parameters and results
  • Detect prompt injection attempts in requests
  • Monitor for abnormal agent behaviors (unusual calls, excessive data volumes)

7. Maintain Human Oversight

For sensitive operations, require manual validation:

  • Financial transactions above a certain threshold
  • System configuration changes
  • Access to personal or confidential data

Tools and Resources

Several frameworks help secure your MCP deployments:

  • OWASP provides a practical guide for secure MCP server development
  • The Cloud Security Alliance published a comprehensive "Secure Autonomy" guide for MCP server hardening
  • McpFirewall offers an open-source firewall with 277 validated tests, capable of blocking write operations and redacting sensitive data
  • The CoSAI (Coalition for Secure AI) project maintains reference documentation on MCP security

MCP Security Checklist

Before putting an MCP server into production, verify these points:

  • Mandatory authentication on all endpoints
  • Permissions limited to strict necessities per tool
  • Schema validation on all inputs
  • Rate limiting configured and tested
  • SDK and server versions pinned and up to date
  • Complete logging of tool calls
  • Incident response procedure documented
  • Penetration testing performed on MCP infrastructure

Conclusion

The MCP protocol is a major advance for AI agent interoperability. But like any interface between systems, it creates a new trust boundary that must be secured with the same rigor as your APIs and databases.

With 30 CVEs in 60 days and an accelerating pace, waiting is not an option. Treat your MCP servers as privileged infrastructure — because that's exactly what they are.

Organizations that integrate security by design into their AI agent deployments will be the ones that fully benefit from this technology — without suffering the consequences.

Want to read more blog posts? Check out our latest blog post on What is Claude Code? Your Complete Guide to the Revolutionary Coding Tool.
Back to the blog

Discuss Your Project with Us

We're here to help with your web development needs. Schedule a call to discuss your project and how we can assist you.

Book a Call

Let's find the best solutions for your needs.