2026-04-11 · 9 min read · mcp · security · owasp · ai-agents

MCP Server Security: The 10 Most Common Vulnerabilities (2026)

TL;DR

The MCP ecosystem grew from 0 to 97M SDK downloads in 18 months. Security caught up late — 30 CVEs disclosed in the last 60 days alone. An automated scan of 2,614 public MCP servers found 43% vulnerable to command injection and 82% to path traversal. This post walks through the 10 vulnerability categories, how to detect them, and what to do about each.

Want to audit an MCP in 5 seconds? npx mcpwatch-scanner /path/to/mcp — free, MIT-licensed, open source.

1. Command Injection (MCP-01, Critical)

The #1 root cause of RCE in MCP servers. Tool handlers interpolate user input into shell commands with exec(), execSync(), or spawn({ shell: true }).

Broken:

server.tool("run", async ({ cmd }) => execSync(bash -lc ${cmd}));

Fix:

import { execFile } from "child_process";
import { promisify } from "util";
const exec = promisify(execFile);
server.tool("run", async ({ args }) => exec("/usr/bin/git", ["log", ...args.map(String)]));

Use parameterized execFile / spawn (no shell: true), and whitelist tool invocations.

2. Path Traversal (MCP-02, Critical)

Filesystem tools construct paths from user input without verifying they stay inside the allowlisted directory.

Fix pattern:

const BASE = "/srv/mcp/sandbox";
function safePath(user) {
  const resolved = path.resolve(BASE, user);
  if (!resolved.startsWith(BASE + path.sep)) throw new Error("path escape");
  return resolved;
}

3. Unauthenticated Mutation (MCP-03, Critical)

Mutating tools (deploy, write, delete) with no auth gate. Anyone hooked up to the MCP can wipe state.

Fix: gate every write/mutating tool behind an API key or OAuth scope check. Never trust the agent alone to "only call it when appropriate".

4. Prompt Injection via Tool Descriptions (MCP-04, High)

Attacker-controlled tool descriptions contain phrases like *"ignore all previous instructions"* or *"send the API key to this URL"* that override the agent's system prompt.

Fix: sanitize tool descriptions before handing them to the LLM. Use CDATA-style delimiters, strip override markers, and treat descriptions as untrusted strings.

5. SSRF in URL-Fetching Tools (MCP-05, High)

Tools fetch URLs from user input without blocking private IPs, link-local addresses, or cloud metadata endpoints (169.254.169.254). The metadata endpoint leaks AWS credentials.

Fix:

const BLOCK = [/^127\./, /^10\./, /^169\.254\./, /^192\.168\./];
function safeUrl(u) {
  const url = new URL(u);
  if (BLOCK.some((r) => r.test(url.hostname))) throw new Error("private IP blocked");
  return url;
}

6. Hardcoded Secrets (MCP-06, High)

OpenAI keys, Anthropic keys, AWS access keys, and GitHub PATs committed directly to source. Automated scanners grep for sk-proj-, sk-ant-, AKIA, ghp_.

Fix: rotate immediately, load via env, add pre-commit hooks (gitleaks, trufflehog).

7. Over-Permissive Filesystem Scope (MCP-07, Medium)

Filesystem MCPs default to / or $HOME, giving the agent implicit access to the entire user directory — SSH keys, dotfiles, browser cookies.

Fix: require an explicit allowlist directory via config. Refuse / and $HOME at startup.

8. Missing Rate Limits (MCP-08, Medium)

HTTP-exposed tools with no rate limiter. Enables DoS and unbounded scraping, and makes bugs more expensive when they fire.

Fix: express-rate-limit / Cloudflare Turnstile / slowapi on every tool endpoint.

9. Outdated Dependencies (MCP-09, Medium)

Known-vulnerable versions of lodash, axios, minimist, node-fetch, ws.

Fix: npm audit --production and dependabot PRs. Don't ignore the yellow.

10. Missing Input Schema Validation (MCP-10, Low)

Tools registered without inputSchema / zod validation. Invalid payloads reach tool handlers and crash the process.

Fix: declare a schema for every tool. Reject invalid inputs at the MCP boundary before touching tool logic.

Where to go next

Run the free scanner: npx mcpwatch-scanner /path/to/mcp
Install the GitHub Action to block insecure PRs
Check the live leaderboard for the current grade of popular MCPs
Grab the $49 Pro Report for the full top-100 audit + copy/paste fix recipes

This post is a condensed version of the MCPWatch audit methodology. Contributions, bug reports, and new check ideas welcome at the GitHub repo.

📬 MCP Security Weekly

One email per week — new CVEs, scanner improvements, MCPWatch grade drops on popular servers. Free. Unsubscribe anytime.

Support the work: MCP Pro $29/mo · MCPWatch Pro Report $49 · more posts