MCP Security 2026: 30 CVEs in 60 Days (opens in new tab)

(heyuan110.com)

2 pointsdanebalia14d ago5 comments

5 comments

This tracks exactly with why I built MCP Gateway — the root causes you listed (absent authentication, blind trust, no access control) are all things the protocol leaves up to each implementer to solve independently.

https://github.com/PanosSalt/MCP-Gateway

OAuth 2.1 + PKCE, Microsoft Entra SSO, per-tool RBAC, full audit trail on every tool call. The gateway sits in front of your tools so auth and access control are solved once at the platform level rather than per-server. Self-hostable with Docker.

First open source project — built it after seeing exactly the pattern described here in enterprise MCP deployments.

tomjwxf5h ago

The gateway approach (OAuth + RBAC) solves the perimeter problem — who can connect. protect-mcp solves a different layer — what can they do once connected, and how do you prove it.

It wraps any MCP server as a stdio proxy. Per-tool policies (block, rate-limit, require human approval). Every decision gets an Ed25519-signed receipt that's verifiable offline — no callbacks, no accounts.

The two layers stack: your gateway authenticates the caller, protect-mcp constrains which tools they can call and signs the evidence.

npx protect-mcp -- node your-server.js

MIT licensed. The receipts protocol has an IETF Internet-Draft: https://datatracker.ietf.org/doc/draft-farley-acta-signed-re...

npm: https://npmjs.com/package/protect-mcp

riteshkew10018d ago

The CVEs here are legit and worth knowing about, CVE-2025-6514 alone is a 9.6 command injection in mcp-remote through the auth flow, that's terrifying. But the article itself has that AI-generated smell to it, real data wrapped in a template.

The actual situation is simpler and scarier: most MCP servers still ship with zero auth, tool descriptions are trusted blindly at runtime, and nobody's validating what a server does vs what it declares. If you're running MCP in production, go scan your setup before reading another guide.

toomuchtodo7d ago

Scanners you recommend?

danebaliaOP14d ago

30 CVEs. 60 days. 437,000 compromised downloads. The Model Context Protocol went from “promising open standard” to “active threat surface” faster than anyone predicted.

Between January and February 2026, security researchers filed over 30 CVEs targeting MCP servers, clients, and infrastructure. The vulnerabilities ranged from trivial path traversals to a CVSS 9.6 remote code execution flaw in a package downloaded nearly half a million times. And the root causes were not exotic zero-days — they were missing input validation, absent authentication, and blind trust in tool descriptions.

If you are running MCP servers in production — or even just experimenting with them in Claude Code or Cursor — this article is your field guide to what went wrong and how to protect yourself.

j / k navigate · click thread line to collapse