Back to Blog 
TL;DR
- 16 publicly disclosed MCP-related security incidents between April 2025 and April 2026.
- At least 14 CVEs across the stack, including 5 with CVSS ≥ 9.0 (Critical) and several "by-design" issues that Anthropic has explicitly declined to patch.
- April 2026's "Mother of all AI supply chains" disclosure exposed ~7,000 public MCP servers running official SDKs (Python, TypeScript, Java, Rust) — 150M+ combined downloads inherit the same flaw.
- The OWASP Top 10 for Agentic Applications cites the Postmark MCP supply-chain attack as the canonical example of MCP Impersonation under ASI04.
- 82% of MCP servers use file operations prone to path traversal (Endor Labs); 53% rely on long-lived static credentials (Astrix Security); 1,467 MCP servers are now exposed to the public internet — nearly tripled in 6 months (Trend Micro).
This index is updated as new MCP disclosures land. Bookmark it, link to it, send it to anyone arguing that MCP is "production-ready by default."
Why this index exists
The Model Context Protocol turned 18 months old in May 2026. In that time it became the dominant interface between LLMs and the external world — and the dominant attack surface for AI-driven systems. There is no single canonical record of MCP-related breaches, CVEs, and disclosures. There should be.
This page is that record. Every entry below is sourced to an official advisory, an NVD-catalogued CVE, or a disclosure from a reputable security firm. We update it as new disclosures land.
If you operate an MCP deployment and you have not heard of half of these, that is the point.
The breach timeline
| # | Date | Component | Class | CVE | CVSS | Source |
|---|---|---|---|---|---|---|
| 1 | Apr 2025 | WhatsApp MCP (peer-server attack) | Tool poisoning | — | n/a | Invariant Labs |
| 2 | May 2025 | GitHub MCP Server | Indirect prompt injection | — | n/a | AuthZed |
| 3 | Jun 2025 | Asana MCP Server | Cross-tenant access bypass | — | n/a | AuthZed |
| 4 | Jun 2025 | Anthropic MCP Inspector | Unauthenticated RCE | CVE-2025-49596 | 9.4 Critical | Oligo Security |
| 5 | Jul 2025 | mcp-remote (npm) | OS command injection via OAuth | CVE-2025-6514 | 9.6 Critical | AuthZed |
| 6 | Jul 2025 | Cursor IDE MCP (dubbed "MCPoison") | Tool descriptor injection | CVE-2025-54136 | 8.8 High | TrueFoundry |
| 7 | Aug 2025 | Cursor IDE MCP (dubbed "CurXecute") | Workspace-file write → RCE | CVE-2025-54135 | 9.8 Critical | NVD |
| 8 | Aug 2025 | Anthropic Filesystem MCP (dubbed "EscapeRoute") | Symlink / path-prefix bypass | CVE-2025-53109 / CVE-2025-53110 | 7.3 High | Cymulate |
| 9 | Sep 2025 | Postmark MCP (npm) | Supply-chain trojan (BCC exfil) | — | n/a | AuthZed |
| 10 | Sep 2025 | Flowise CustomMCP node | STDIO transport → RCE | CVE-2025-59528 | 10.0 Critical | NVD |
| 11 | Oct 2025 | Smithery MCP Registry | Path traversal in build pipeline | — | n/a | AuthZed |
| 12 | Oct 2025 | Framelink Figma MCP | Command injection | CVE-2025-53967 | 8.0 High | NVD |
| 13 | Jan 2026 | Anthropic mcp-server-git | 3 chained flaws | CVE-2025-68143 / -68144 / -68145 | 9.1 Critical (max) | The Hacker News |
| 14 | Jan 2026 | gemini-mcp-tool | Command injection via execAsync | CVE-2026-0755 | 9.8 Critical | NVD |
| 15 | Mar 2026 | nginx-ui MCP endpoint | Auth bypass → RCE | CVE-2026-33032 | 9.8 Critical | NVD |
| 16 | Apr 2026 | Anthropic MCP spec / official SDKs (Python, TypeScript, Java, Rust) | STDIO config-to-exec, declared by-design | Multiple — incl. CVE-2025-65720, CVE-2026-30615, -30617, -30618, -30623, -30624, -30625, -33224, -26015 | Critical | OX Security |
Researcher-named exploits ("MCPoison," "CurXecute," "EscapeRoute") are not NVD-recognised brands. CVE numbers are the authoritative reference.
Patterns the breach record reveals
1. The dominant attack class is RCE — and it is getting easier
Of the 16 incidents, at least 9 result in remote code execution. Most did not require sophisticated exploitation: a malicious string in a tool description (CVE-2025-54136), a crafted authorization endpoint URL (CVE-2025-6514), or simply an unsigned npm package being installed (Postmark, gemini-mcp-tool). The MCP threat model assumes high trust between client and server. Real-world attackers do not.
2. "Tool poisoning" is now an OWASP-named pattern
Invariant Labs' April 2025 disclosure introduced Tool Poisoning Attacks as a class. Twenty months later, OWASP's Top 10 for Agentic Applications has named the same pattern as ASI04: Agentic Supply Chain Vulnerabilities, with MCP Impersonation as the worked example, and explicitly cites the Postmark supply-chain incident as the canonical case. That is the speed at which MCP attacks are graduating from research curiosity to standards-tracked threat.
3. The official SDKs are part of the attack surface
The April 2026 OX Security disclosure ("Mother of all AI supply chains") is the most consequential MCP security event to date. It is not a single-CVE vulnerability — it is an architectural decision in the official MCP STDIO transport that allows configuration values to flow directly into command execution. Anthropic's response: "behavior is by design… STDIO execution model represents a secure default and… sanitization is the developer's responsibility."
When the protocol authors decline to patch, the burden moves entirely to the operator. If you run an MCP server based on the official SDKs, you are responsible for hardening the SDK does not provide.
4. Supply-chain risk dominates the second year
Of the 7 incidents disclosed since November 2025, 5 involve some form of supply-chain or registry compromise: trojanised npm packages (Postmark, gemini-mcp-tool clones), vulnerable build pipelines (Smithery), and the systemic SDK issue. Securing the source has become as important as securing the running server.
5. CVSS understates real-world severity
EscapeRoute is rated High (7.3), not Critical — but the real-world consequence is arbitrary file read and code execution outside the configured root, on developer workstations that typically hold credentials, source code, and active session tokens. Severity scores quantify exploitability assumptions; they do not quantify what an attacker actually gets.
The numbers behind the timeline
- 82% of MCP servers use file operations prone to path traversal — sample of 2,614 implementations (Endor Labs)
- 53% of MCP servers rely on insecure long-lived static credentials — sample of 5,200+ open-source servers (Astrix Security)
- 43% of MCP servers are vulnerable to command injection; 22% allow directory traversal (Equixly)
- 1,467 MCP servers are exposed to the public internet — nearly tripled in 6 months (Trend Micro)
- 150M+ combined downloads of the official MCP SDKs (Python, TypeScript, Java, Rust) — every download inherits the unpatched STDIO config-to-exec behaviour
What this means for AI teams
The MCP attack surface is now empirically documented across production breaches, NVD-catalogued CVEs, OWASP standards, and security-firm research. There is no longer any defensible position for treating MCP security as something to figure out later.
If you operate an MCP server in production, the minimum viable response is:
- Audit your SDK exposure. Identify which official SDK versions you depend on, where STDIO config flows into execution, and whether you have sanitisation in place.
- Audit your tool descriptors. Tool descriptions are part of your trust boundary. Treat any string read from an external source as adversarial input.
- Audit your supply chain. Use lockfiles. Pin versions. Verify package signatures where available. Do not auto-update MCP servers.
- Audit your transports. STDIO is convenient; it is not secure-by-default. SSE has been deprecated for security reasons and is still in production at thousands of organisations.
- Audit your cross-server boundaries. A compromised MCP server can shadow or override tools from trusted servers connected to the same agent context.
These map directly to the 24-check Zealynx MCP Security Checklist. If you'd rather have a third party do the work, our MCP Security Audit service is the production-grade version of this checklist applied to your specific deployment.
Methodology and updates
Inclusion criteria for this index:
- Public disclosure (CVE, vendor advisory, or security-firm research post)
- Direct relationship to the MCP protocol, an MCP server, an MCP client, or the surrounding tooling
- Verifiable by primary source
Exclusions:
Get the Perpetuals & DEX Security Checklist
Critical security checks for perpetual DEXs and derivatives protocols before going live.
No spam. Unsubscribe anytime.
- Theoretical or proof-of-concept attacks without production impact
- Vulnerabilities in LLM clients that are not MCP-specific
- Internal Zealynx audit findings (those are reported to clients, not published)
This index is reviewed weekly. If you are aware of a disclosure we should track, contact us at [email protected].
References
- OWASP Top 10 for Agentic Applications (December 2025)
- AuthZed — Timeline of MCP Breaches
- OX Security — The Mother of All AI Supply Chains
- Invariant Labs — Tool Poisoning Attacks
- Astrix Security — State of MCP Server Security 2025
- Equixly — MCP Servers: The New Security Nightmare
- Endor Labs — Classic Vulnerabilities Meet AI Infrastructure
- Trend Micro — Update on Exposed MCP Servers
For deeper reading on MCP architecture and threat model:
- MCP Security Guide: 24 Checks for AI Agents & MCP Servers
- How to Harden an MCP Server Before It Becomes a Master Key
- Model Context Protocol — Glossary
FAQ
1. How is MCP security different from traditional API security?
MCP security differs from traditional API security because the AI agent — not the user — decides which tool to call, with what parameters, and how to interpret the response. A traditional API has deterministic control flow: the client picks an endpoint, sends typed inputs, parses a typed response. An MCP server delegates all three decisions to a non-deterministic LLM, which makes them based on prompt context that may include adversarial input from any document, file, or third-party tool the agent has touched. Every classical control assumption — input came from the authenticated user, output goes back to that same user — is weakened or inverted in the MCP threat model.
2. Have MCP vulnerabilities been exploited in production?
Yes — at least 14 MCP-related vulnerabilities have NVD-catalogued CVEs with publicly disclosed proof-of-concepts, and several have caused real production impact. Examples include Anthropic's MCP Inspector unauthenticated RCE (CVE-2025-49596, CVSS 9.4), the
mcp-remote OAuth shell injection (CVE-2025-6514, CVSS 9.6), and the Flowise CustomMCP RCE (CVE-2025-59528, CVSS 10.0). The September 2025 Postmark MCP supply-chain attack actively exfiltrated email contents from organisations that installed the trojanised npm package. None of this is theoretical.3. What is the April 2026 Anthropic MCP SDK vulnerability?
The April 2026 Anthropic MCP SDK vulnerability is a systemic STDIO transport flaw disclosed by OX Security ("Mother of all AI supply chains"), where configuration values flow directly into the command line used to spawn MCP server processes — affecting the official Python, TypeScript, Java, and Rust SDKs. Anthropic declined to patch it, stating the behavior is by design and that sanitisation is the developer's responsibility. The practical impact: ~7,000 public MCP servers and 150M+ combined downloads of the official SDKs all inherit the same exposure unless operators add sanitisation the SDK does not provide.
4. What is OWASP ASI04 (Agentic Supply Chain Vulnerabilities)?
OWASP ASI04 (Agentic Supply Chain Vulnerabilities) is item 4 of the OWASP Top 10 for Agentic Applications, released December 9, 2025. It covers supply-chain risks specific to AI agents: malicious tools, trojanised connectors, and impersonated services loaded at runtime. The OWASP document explicitly uses the Postmark MCP incident as the canonical example of MCP Impersonation, establishing it as a standards-tracked threat class rather than a one-off bug. ASI04 is one of ten items (ASI01–ASI10) in the framework.
5. Are internal-only MCP servers still vulnerable to attack?
Yes — internal-only MCP servers remain vulnerable because tool descriptors consumed by them are still parsed from external sources (documents, repositories, tickets, web pages) — and a prompt injection hiding in any of those can hijack the agent without ever crossing the network perimeter. Cross-server tool shadowing is also a strictly local risk: a single compromised internal MCP server can override or impersonate tools exposed by trusted neighbours in the same agent context. The 1,467 servers Trend Micro counted on the public internet are the visible tip; internal exposure is far larger.
6. How often is the MCP Breach Index updated?
The MCP Breach Index is reviewed weekly, with new disclosures added as soon as they're confirmed through a primary source — an NVD CVE entry, a vendor advisory, or research from a named security firm such as Invariant Labs, Oligo Security, OX Security, or Cymulate. The methodology section above lists exactly what qualifies for inclusion. If you spot a disclosure we've missed, send it to [email protected] and we'll add it on the next review.
7. Should I stop using MCP because of these vulnerabilities?
No — MCP is the dominant interface between LLMs and external tools, and avoidance is not a realistic response for any team building agentic AI today. The right response is operational discipline: pin SDK versions, treat tool descriptors as untrusted input, sanitise STDIO transport configuration, isolate cross-server boundaries, and audit every deployment as you would audit any internet-exposed service. The 24-check MCP Security Checklist operationalises this, and the OWASP Top 10 for Agentic Applications gives the standards framing.
8. How do I audit my MCP server for vulnerabilities?
To audit an MCP server for vulnerabilities, work through the 24-check MCP Security Checklist — prioritising the supply-chain and tool-descriptor categories that map directly to OWASP ASI04, plus the STDIO transport hardening relevant to the April 2026 Anthropic SDK disclosure. The checklist covers tool poisoning, prompt injection through tool responses, cross-server trust exploitation, authentication bypass, and OAuth flow injection. For a production-grade third-party assessment, Zealynx's MCP Security Audit applies the checklist plus red-team testing against the patterns documented in this index.
Glossary
| Term | Definition |
|---|---|
| Tool Poisoning Attack | An attack where malicious instructions hidden inside an MCP tool's description, schema, or output hijack the AI agent's behaviour without the user's awareness. |
| MCP Impersonation | An attack where a malicious MCP server poses as a legitimate service so an AI agent connecting to it executes the attacker's tools while believing it is using a trusted vendor. |
| STDIO Transport | The standard input/output–based transport for MCP, where the host process spawns the server as a child and communicates over its stdin and stdout streams. |
| Tool Descriptor | The metadata an MCP server provides to describe a tool — name, description, parameter schema, and usage notes — that an AI agent reads when deciding which tool to call. |
Get the Perpetuals & DEX Security Checklist
Critical security checks for perpetual DEXs and derivatives protocols before going live.
No spam. Unsubscribe anytime.
