MCP Security 2026: 30 CVEs in 60 Days (opens in new tab)

This tracks exactly with why I built MCP Gateway — the root causes you listed (absent authentication, blind trust, no access control) are all things the protocol leaves up to each implementer to solve independently.

https://github.com/PanosSalt/MCP-Gateway

OAuth 2.1 + PKCE, Microsoft Entra SSO, per-tool RBAC, full audit trail on every tool call. The gateway sits in front of your tools so auth and access control are solved once at the platform level rather than per-server. Self-hostable with Docker.

First open source project — built it after seeing exactly the pattern described here in enterprise MCP deployments.

The CVEs here are legit and worth knowing about, CVE-2025-6514 alone is a 9.6 command injection in mcp-remote through the auth flow, that's terrifying. But the article itself has that AI-generated smell to it, real data wrapped in a template.

The actual situation is simpler and scarier: most MCP servers still ship with zero auth, tool descriptions are trusted blindly at runtime, and nobody's validating what a server does vs what it declares. If you're running MCP in production, go scan your setup before reading another guide.

30 CVEs. 60 days. 437,000 compromised downloads. The Model Context Protocol went from “promising open standard” to “active threat surface” faster than anyone predicted.

Between January and February 2026, security researchers filed over 30 CVEs targeting MCP servers, clients, and infrastructure. The vulnerabilities ranged from trivial path traversals to a CVSS 9.6 remote code execution flaw in a package downloaded nearly half a million times. And the root causes were not exotic zero-days — they were missing input validation, absent authentication, and blind trust in tool descriptions.

If you are running MCP servers in production — or even just experimenting with them in Claude Code or Cursor — this article is your field guide to what went wrong and how to protect yourself.