Widespread Security Flaws Plague Public MCP Servers, Threatening AI Agent Ecosystem
A Trend Micro audit uncovered nearly 5,000 security issues across over 2,200 public Model Context Protocol (MCP) servers, highlighting critical vulnerabilities that endanger the burgeoning AI agent landscape.

A comprehensive audit of public Model Context Protocol (MCP) servers has revealed a staggering number of security vulnerabilities, with nearly 5,000 issues identified across 2,259 servers. This widespread insecurity poses a significant threat to the rapidly expanding agentic AI ecosystem, which relies on MCP to connect large language models (LLMs) with data sources and enable advanced AI capabilities.
The audit, conducted by Trend Micro's Forward-Looking Threat Research Team, examined 9,695 MCP servers hosted on public directories like GitHub, Glama, Lobehub, and PulseMCP. Researchers discovered a broad spectrum of flaws, including arbitrary file access, lack of authentication, command injection, denial of service, SSRF, SQL injection, cross-site scripting, prompt injection, authorization bypass, and code injection. These vulnerabilities were categorized into exploitable flaws, design weaknesses, and malicious behaviors, underscoring the multifaceted nature of the security crisis.
Alarmingly, the research found that neither a server's popularity, measured by GitHub stars, nor its verification status offered reliable protection against these security issues. Verified servers exhibited nearly as many vulnerabilities as unverified ones, and highly popular servers, while having a larger potential blast radius, were not inherently more secure. Conversely, less popular servers, despite lower visibility, showed a disproportionately high average number of issues per server, indicating that obscurity does not equate to safety.
Further analysis revealed that increased development activity, indicated by a higher commit count, did not correlate with improved security. The sheer volume of code introduced through active development often outpaced security hardening efforts, leaving more surface area for exploitation. The identified vulnerabilities spanned various applications, including cryptocurrency tools, office automation platforms, and enterprise middleware, with specific examples highlighting the potential for unauthorized transactions and arbitrary code execution.
Trend Micro's findings also pointed to systemic security failures, with common co-occurrence patterns like arbitrary file access combined with missing authentication suggesting a lack of basic security hygiene and input validation. This indicates that many developers are not adhering to fundamental security best practices when building and deploying MCP servers.
Given these findings, security teams are urged to treat all third-party MCP servers as untrusted code, regardless of social proof metrics like star counts or verification badges. The report strongly recommends mandatory security measures, including rigorous code reviews before deployment, strict enforcement of authentication and least-privilege access controls, comprehensive input validation to prevent injection attacks, and real-time traffic monitoring between AI agents and MCP servers.
Organizations must move away from a trust-by-default approach and adopt zero-trust principles when integrating MCP servers. The rapid growth of AI agents and their reliance on these protocols necessitates a proactive and diligent approach to security to prevent widespread compromise and protect the integrity of the AI ecosystem.