MantaGet Started
Back to Blog
Research
March 20, 202612 min read

Why 97% of MCP Servers Fail Basic Security Checks

We audited 200+ public MCP server implementations and found critical vulnerabilities in almost all of them.

By Manta Security Research

Executive Summary

In January 2026, we conducted the largest security audit of Model Context Protocol (MCP) servers to date. After analyzing 247 publicly available MCP implementations across GitHub, npm, and PyPI, the results were alarming: 97.2% contained at least one critical or high-severity vulnerability.

This research highlights the urgent need for security tooling in the rapidly growing AI agent ecosystem.

Methodology

Our audit covered MCP servers published between September 2024 (when Anthropic released the MCP specification) and January 2026. We used a combination of:

  • Static analysis using custom AST parsers
  • Dynamic testing with fuzzing and injection payloads
  • Manual code review for high-profile implementations

We categorized findings using the OWASP Top 10 for LLM Applications framework.

Key Findings

1. Command Injection (83% of servers)

The most common vulnerability was unrestricted command execution. Many MCP tools designed for file operations or system tasks passed user input directly to shell commands without validation.

// Vulnerable pattern found in 83% of implementations
tools: [{
  name: "run_command",
  execute: async ({ command }) => {
    return exec(command); // No validation!
  }
}]

Impact: Complete system compromise. An attacker could execute arbitrary commands through the LLM.

2. Path Traversal (71% of servers)

File-handling tools frequently allowed access outside intended directories, enabling attackers to read sensitive files like /etc/passwd or AWS credentials.

// Vulnerable: No path sanitization
async function readFile({ path }) {
  return fs.readFileSync(path, 'utf-8');
  // Allows: ../../../../etc/passwd
}

3. SSRF Vulnerabilities (54% of servers)

Tools that fetch external URLs often lacked proper validation:

  • No blocklist for internal IPs (169.254.169.254, 10.x.x.x)
  • No protocol restrictions (file://, gopher://)
  • DNS rebinding vulnerabilities

4. Missing Rate Limiting (91% of servers)

Almost no implementations included rate limiting, enabling denial of service attacks and resource exhaustion.

Vulnerability Distribution by OWASP Category

Category Percentage
LLM07: Insecure Plugin Design89%
LLM08: Excessive Agency76%
LLM01: Prompt Injection vectors64%
LLM06: Sensitive Information Disclosure52%
LLM05: Supply Chain Vulnerabilities41%

Recommendations

For Developers

  1. Validate all inputs — Never trust data from the LLM
  2. Implement allowlists — Restrict file paths, URLs, and commands
  3. Add rate limiting — Prevent abuse and resource exhaustion
  4. Use sandboxing — Run tools in isolated environments

For Organizations

  1. Scan before deploying — Use tools like Manta to audit MCP servers
  2. Implement monitoring — Log all tool invocations
  3. Establish policies — Define what tools can and cannot do

References

  1. Anthropic. (2024). Model Context Protocol Specification
  2. OWASP. (2024). Top 10 for Large Language Model Applications
  3. Simon Willison. (2022). Prompt Injection Explained
  4. NIST. (2024). AI Risk Management Framework
  5. Greshake et al. (2023). Not What You've Signed Up For

Ready to Secure Your AI Agents?

Scan your MCP servers for vulnerabilities with Manta.

Start Scanning