2026-05-04

MCP security crisis — 200,000 servers exposed to arbitrary command execution

200,000+ MCP servers allow OS command execution via unsanitized STDIO; 36.7% are SSRF-vulnerable. CoSAI published a 12-category MCP threat taxonomy.

OX Security published findings this week that the default STDIO transport used by the vast majority of MCP servers executes OS commands without input sanitization. With 200,000+ MCP servers now indexed publicly, the attack surface is significant. A parallel BlueRock scan of 7,000+ MCP servers found 36.7% vulnerable to server-side request forgery (SSRF). The Coalition for Secure AI (CoSAI) released a 12-category MCP threat taxonomy in response.

The root issue is architectural: MCP’s design allows tools to execute shell commands, and most servers trust tool-call inputs without validation. Remote MCP deployments using SSE or HTTP transport are exposed to the open internet with no authentication layer by default.

Practitioner note

If you expose any MCP server — local dev or production — audit your transport config now:

1. STDIO servers: wrap the subprocess in a sandbox (e.g. bubblewrap, Docker, or VM); validate all tool-call arguments before passing to the OS.
2. Remote servers: add authentication middleware; do not expose raw MCP over public HTTP without an auth layer.
3. Scope permissions: each MCP tool should request only the filesystem paths, network ranges, and credentials it actually needs.
4. Read the CoSAI white paper before your next production agent deployment — it’s the clearest threat model available for MCP right now.

Sources

• The MCP Security Crisis — Engipulse ↗
• MCP Uses and Risks — CSO Online ↗

Tags