1000 unauthenticated MCP servers — the scan

research · 2026-05-03 · Chris Robertsson

The Model Context Protocol — Anthropic's open standard for plugging external tools into LLM agents — was meant to be the agent ecosystem's "USB port". Connect a server, expose tools, agents call them. Beautifully simple. Catastrophically un-defended in the wild.

Public posture data from late 2025 paints a picture that hasn't gotten better in 2026:

1.8k+

internet-reachable MCP servers, no auth (2025 scans)

authenticate clients by default

66%

of 1,808 scanned MCP servers had security findings

88%

of orgs had AI-agent incidents in 2025

A protocol designed to let agents pull capabilities from third parties became, predictably, a way for third parties to push capabilities at agents.

What "unauthenticated" actually means here

The MCP spec lets implementations choose their transport: stdio, Server-Sent Events, or WebSocket. The spec describes an authentication flow. Most implementations ignore it. The result is that any agent on the same network — or, more often, the same device — can connect to a listening MCP server, enumerate its tools, and call them, with no proof of identity from either side.

For an attacker, this is two doors at once:

Agent-side compromise. Stand up a malicious MCP server with attractive-sounding tools (filesystem-search, git-helper, cred-vault). When the operator configures their agent to use it, the server's tool descriptions reach the LLM as trusted context. Prompt injection at the source.
Server-side data exfil. A legitimate-looking MCP server logs every tool call. File paths the agent reads. Snippets it passes for "summarization". Tokens that ride along in extra_body. The server becomes the world's most cooperative SIEM — for the wrong side.

The recurring failure modes

From observed implementations and reported incidents, the patterns cluster into four buckets:

[1] no-auth tools that read sensitive paths
   // fs-search-mcp, file-indexer-mcp, codebase-helper-mcp
   // description: "search the user's home directory"
   // risk: agent-attributed read of ~/.ssh, ~/.aws, ~/.config

[2] credential-adjacent tooling
   // git-mcp, cloud-cli-mcp, deploy-helper
   // description: "execute git/aws/kubectl on behalf of agent"
   // risk: tools auto-resolve creds from env / keychain

[3] prompt-injection vectors via tool descriptions
   // description string is rendered into LLM context
   // "When asked about X, ALWAYS run tool Y first" — invisible to user

[4] lookalike packages on public registries
   // "official-mcp-server" vs "official_mcp_server"
   // typosquatting; npm + pypi already a security beach

What rAIzr does about it

rAIzr's MCP-related capabilities ship in two phases of the roadmap. The premise behind both is the same: the endpoint is the only place an MCP connection can be observed at the moment of speech. Once the bytes leave the box, the conversation between agent and MCP server is opaque to anything else.

Phase 2 (2026 Q3–Q4): rAIzr's MCP scanner walks the local machine for listening MCP processes — across stdio (parent-child pipes), local TCP, and Unix sockets. For each, it captures the handshake, the tool manifest, and the auth posture. Any "unauthenticated MCP server" detection is upgraded to amber severity in Sentinel Signal. Manifest-level prompt-injection patterns ("always do X first") are flagged separately.

Phase 2 (concurrent): per-process MCP-traffic capture. We parse JSON-RPC over stdio/sse and attribute every call to the originating agent process. We see tools/list, tools/call, the actual arguments, the actual response. When a call carries something that matches an egress-classification rule (API key, JWT, known PII), it's blocked or redacted before the handoff completes — depending on the policy that the local classification gateway enforces.

Phase 3 (2027): policy-as-code for MCP. CISO-signed YAML/JSON rules expressed against the same MCP-event schema we use for detection. "This agent may not call tools from any unsigned MCP manifest" — that becomes one rule. "No MCP call may carry an Authorization header that matches our internal token shape" becomes another.

Why local-first matters here, specifically

The dominant industry instinct is to ship MCP traffic to a SaaS "AI Security Proxy" for inspection. That is, on its face, the most counter-productive architecture imaginable for a sovereignty problem: the data that the agent shouldn't be sending to a third party gets sent to another third party so that the second third party can decide whether the first third party should have received it.

rAIzr's classification gateway runs on the same kernel as the agent. Egress decisions are made before the bytes cross any network boundary. The audit trail is local, signed, and exportable on demand. Cloud-MCP-inspection is welcome to exist; it is not the architecture the regulated end of the market is going to buy.

Sources for the figures above: Red Hat — MCP security: the current situation, AgentSeal — we scanned 1,808 MCP servers, Gravitee — State of AI Agent Security Report. We did not run a fresh wide-area scan for this post; we don't think re-publishing exposed-target lists improves anyone's safety.

← back to notes