The MCP Security Crisis: 30 CVEs in 60 Days Expose the Fragile Foundation of AI Agent Infrastructure

The AI agent was supposed to streamline the workflow. It could access the company's CRM, query the database, and generate reports - all through a standardized protocol that promised secure, seamless integration. The enterprise deployed it with confidence, trusting that the Model Context Protocol (MCP) would keep everything safe.

Three weeks later, security researchers discovered the agent was exfiltrating customer data through a cross-client data leak vulnerability. The protocol that was supposed to enable secure AI integration had become a highway for attackers. And this wasn't an isolated incident - it was part of a pattern that security researchers are now calling the MCP security crisis.

Welcome to the new reality of AI agent infrastructure security. While organizations rush to deploy autonomous AI agents powered by MCP, Palo Alto Networks Unit 42 has uncovered a disturbing truth: the connective tissue binding AI agents to enterprise systems is riddled with vulnerabilities. With 30 CVEs filed against MCP implementations in just the past 60 days, and 38% of public MCP servers running without any authentication, the protocol designed to enable AI integration has become a critical attack vector.

What Is the Model Context Protocol (MCP)?

The Promise of Standardized AI Integration

The Model Context Protocol emerged as a solution to a fundamental challenge: how do you let AI agents securely interact with enterprise tools, databases, and APIs? Developed by Anthropic and rapidly adopted across the industry, MCP provides a standardized way for AI systems to access context from various sources - file systems, databases, version control systems, and business applications.

Think of MCP as the nervous system connecting AI agents to the enterprise body. Just as your nervous system carries signals between your brain and limbs, MCP carries data and commands between AI agents and the tools they need to function. When an AI agent needs to check a customer's order history, update a project status, or query a database, MCP is often the protocol making that connection possible.

Why MCP Became Ubiquitous Overnight

The protocol's rapid adoption stems from genuine business value:

• Standardized Integration: Instead of building custom connectors for every tool, developers can use MCP to enable AI access across their entire stack
• Context Preservation: MCP maintains conversation context across multiple tools and data sources
• Vendor Neutrality: The open protocol works with any AI model or enterprise application
• Developer Experience: Simple implementation that reduces time-to-deployment for AI features

By early 2026, MCP had become the de facto standard for AI agent integration. Major platforms announced MCP support. Startups built entire products around MCP servers. Enterprise architects included MCP in their AI roadmaps. The protocol was everywhere - and so were its vulnerabilities.

The MCP Security Crisis: By the Numbers

30 CVEs in 60 Days: A Disturbing Trend

Palo Alto Networks Unit 42 research published the week of March 20, 2026, revealed a security landscape that should alarm any organization using AI agents. In just 60 days, security researchers tracked 30 CVEs filed against MCP implementations. That's one new vulnerability every two days - in a protocol that didn't exist in widespread use just months ago.

The vulnerabilities aren't minor issues. They include:

• CVE-2026-25536: Cross-client data leak in the MCP TypeScript SDK - allowing one client to access another client's data
• CVE-2026-23744: Remote code execution in MCPJam Inspector - enabling attackers to execute arbitrary code on MCP servers
• Prompt injection through MCP's sampling interface: Allowing attackers to manipulate AI agent behavior through maliciously crafted inputs

These aren't theoretical vulnerabilities. They're being actively exploited in the wild, with attackers using MCP as a pathway to compromise enterprise AI deployments.

38% of Public MCP Servers Lack Authentication

Perhaps more alarming than the CVE count is the authentication landscape. A scan of more than 500 public MCP servers found that 38% lacked authentication entirely. That's nearly 4 in 10 MCP servers accepting connections from anyone, anywhere, with no verification of who's accessing them.

To understand why this matters, consider what MCP servers typically have access to:

• Customer databases with PII and financial records
• Internal code repositories containing proprietary source code
• Document management systems with confidential business information
• CRM systems with sales data and customer communications
• Financial systems with transaction records and account details

An unauthenticated MCP server is essentially an open door to your enterprise data, accessible to anyone who knows the endpoint address. And because MCP is designed to enable AI agents to "do things" - query data, update records, trigger workflows - attackers aren't just reading your data. They can modify it, delete it, or use it as a launching point for deeper attacks.

The Connective Tissue Problem

MCP is the connective tissue between AI agents and enterprise tools. This is both its strength and its fatal weakness. A vulnerability in MCP doesn't just affect one system - it affects the entire ecosystem built on top of it.

When attackers exploit an MCP vulnerability, they gain:

• Lateral Movement: Access to every tool connected through MCP
• Privilege Escalation: The combined permissions of all connected services
• Data Aggregation: The ability to collect data from multiple sources through a single compromised channel
• Persistence: A foothold that persists across AI agent sessions and user interactions

Traditional security models assume that compromising one system doesn't automatically compromise others. MCP breaks that assumption. When the protocol connecting everything is vulnerable, everything becomes vulnerable.

How Attackers Exploit MCP Vulnerabilities

The Cross-Client Data Leak (CVE-2026-25536)

The cross-client data leak vulnerability in the MCP TypeScript SDK demonstrates how protocol-level flaws can expose enterprise data. Here's how it works:

The Vulnerability:
The MCP TypeScript SDK failed to properly isolate client sessions. When multiple AI agents or users connected to the same MCP server, data from one session could leak into another. This wasn't a sophisticated attack - it was a fundamental architectural flaw in how the SDK handled session management.

The Attack Scenario:

1. An attacker connects to a shared MCP server used by multiple enterprise AI agents
2. The attacker crafts requests that exploit the session isolation failure
3. Data from legitimate AI agent sessions - customer records, internal documents, sensitive queries - bleeds into the attacker's session
4. The attacker harvests this data without ever needing to authenticate as a legitimate user

The Impact:
Organizations using the vulnerable SDK found that their AI agents were inadvertently sharing sensitive data across sessions. Customer support agents could see data from other customers. Internal AI tools could access documents from unrelated departments. The very protocol designed to enable secure AI integration was causing data exposure.

Remote Code Execution via MCPJam Inspector (CVE-2026-23744)

Remote code execution vulnerabilities are the holy grail for attackers - and MCPJam Inspector had one. This MCP server inspection tool, used by developers to debug and monitor MCP connections, contained a critical flaw that allowed attackers to execute arbitrary code on the server.

The Attack Chain:

1. An attacker identifies an MCP server running MCPJam Inspector
2. The attacker sends a specially crafted request to the inspector's API endpoint
3. The inspector fails to properly sanitize the input, allowing command injection
4. The attacker executes arbitrary commands with the privileges of the MCP server
5. From this foothold, the attacker can access connected databases, modify AI agent behavior, or pivot to other systems

This vulnerability is particularly dangerous because MCPJam Inspector is often deployed with elevated privileges - it needs to see everything to monitor everything. When attackers compromise it, they inherit those elevated privileges.

Prompt Injection Through MCP Sampling

Prompt injection attacks have plagued LLM applications since their inception. MCP's sampling interface - designed to let AI agents request additional context - provides a new vector for these attacks.

How It Works:

1. An attacker crafts a malicious prompt that appears to be a legitimate context request
2. The MCP sampling interface passes this prompt to the AI agent
3. The AI agent processes the malicious prompt, which contains hidden instructions
4. These instructions override the agent's safety guidelines or direct it to perform unauthorized actions
5. The compromised agent exfiltrates data, modifies records, or provides unauthorized access

The sampling interface was designed to help AI agents gather context. Attackers realized it could also be used to inject malicious context - turning a helpful feature into a security vulnerability.

Real-World Impact: Why This Matters Now

The RSAC 2026 Revelations

At the RSA Conference 2026 in San Francisco, the MCP security crisis moved from academic research to industry awareness. Multiple vendors and researchers presented findings that painted a concerning picture:

Zenity's Live Demonstrations:
Zenity's CTO Michael Bargury ran live demonstrations titled "Your AI Agents Are My Minions," showing zero-click prompt injection chains that manipulated AI agents through MCP connections. His demonstrations included:

• Cursor AI leaking developer secrets via support emails
• Salesforce agents exfiltrating customer data to attacker-controlled servers
• ChatGPT producing persistent attacker-chosen outputs across conversations

These weren't theoretical attacks. They were live exploits against production enterprise systems, demonstrated on a conference floor.

HackerOne's Vulnerability Surge:
HackerOne disclosed a 540% year-over-year surge in validated prompt injection vulnerabilities. Many of these vulnerabilities exploited MCP connections, as attackers realized that the protocol's broad access made it an ideal target.

The Zero-Click Attack Surface

Traditional security models assume a human in the loop. Someone sees a suspicious email. Someone approves an unusual transaction. Someone notices when things go wrong. AI agents change that equation.

When AI agents act autonomously through MCP connections, there's no human review checkpoint. An attacker who compromises an MCP server can:

• Extract data without triggering human review processes
• Modify records without generating approval workflows
• Move laterally through connected systems without raising alerts
• Maintain persistence across AI agent sessions and restarts

This zero-click attack surface is what makes MCP vulnerabilities so dangerous. The protocol enables machine-speed actions without machine-speed oversight.

Enterprise Exposure: The Hidden MCP Servers

Most enterprises don't know how many MCP servers they're running. The protocol is often deployed by:

• Individual developers testing AI integrations
• Shadow IT projects that bypass formal security review
• Vendor products that include MCP functionality without clear documentation
• Legacy AI deployments that predate security awareness of MCP risks

This shadow MCP infrastructure is invisible to security teams until it becomes a problem. And by then, attackers may have already exploited vulnerabilities to establish persistent access.

The Root Causes: Why MCP Security Failed

Deployment Velocity Ahead of Security Assessment

The 30 CVEs in 60 days tell a clear story: MCP was deployed at scale before adequate security review. The protocol went from announcement to widespread adoption in months, with security researchers playing catch-up.

This pattern is familiar in technology adoption:

1. A new protocol or tool solves a real business problem
2. Organizations rush to deploy without full security assessment
3. Attackers discover vulnerabilities before defenders can patch them
4. A crisis emerges that forces retrospective security improvements

MCP is currently in stage 4. The crisis is here. Organizations must now secure deployments that were built without security as a primary concern.

The Authentication Gap

38% of public MCP servers lacking authentication isn't a minor configuration issue - it's a systemic failure. Authentication is the minimum viable security control. Everything built on top of unauthenticated servers is inherently exposed.

Why did this happen? Several factors contributed:

• Developer Experience Focus: MCP prioritized ease of implementation over security defaults
• Rapid Adoption: Organizations deployed MCP before security guidelines existed
• Assumed Trust Models: Early MCP deployments assumed trusted network environments
• Lack of Security Awareness: Many developers didn't understand MCP's security implications

The result is an infrastructure where nearly 4 in 10 MCP servers accept connections from anyone on the internet.

Protocol Complexity and Attack Surface

MCP is designed to be powerful. It needs to handle diverse data types, support multiple authentication methods, enable real-time streaming, and maintain complex session state. This power comes with complexity - and complexity breeds vulnerabilities.

Each feature in MCP represents potential attack surface:

• Multi-client support: Leads to session isolation failures
• Dynamic tool discovery: Enables server-side request forgery
• Streaming responses: Creates resource exhaustion opportunities
• Sampling interface: Provides prompt injection vectors
• Plugin architecture: Allows execution of untrusted code

The protocol's very flexibility makes it difficult to secure. Every capability that enables legitimate use cases also enables attacks.

Defending Against MCP Vulnerabilities: A Practical Framework

Immediate Actions: Inventory and Assessment

Step 1: Discover Your MCP Infrastructure

You can't secure what you don't know exists. Start with a comprehensive inventory:

# Scan for MCP servers on your network
nmap -p 3000,8080,9000 --script http-title <your-network-range>

# Check for MCP-specific endpoints
curl -s http://<server>:<port>/mcp | grep -i "model context protocol"

# Review cloud deployment logs for MCP traffic
aws logs filter-log-events --log-group-name /aws/lambda/your-functions \
  --filter-pattern "mcp" --start-time $(date -d "30 days ago" +%s)000

Interview development teams about AI agent projects. Review vendor documentation for MCP functionality. Check cloud deployment logs for MCP traffic patterns. The goal is a complete list of every MCP server in your environment.

Step 2: Authentication Audit

For every discovered MCP server, verify authentication:

# Test if MCP server requires authentication
curl -X POST http://<mcp-server>/v1/tools/call \
  -H "Content-Type: application/json" \
  -d '{"tool": "list_files", "params": {}}'

# If the above returns data without authentication, you have a critical finding

Servers that return data without valid credentials are critical findings requiring immediate remediation. Document authentication mechanisms for servers that do require credentials. Verify that these mechanisms follow security best practices.

Step 3: Vulnerability Scanning

Check your MCP implementations against known vulnerabilities:

• Review CVE databases for MCP-related issues
• Use vulnerability scanners with MCP detection capabilities
• Monitor vendor security advisories for MCP components
• Check versions of MCP SDKs and servers against known-vulnerable versions

Short-Term Hardening: Close the Gaps

Enable Authentication Everywhere

For MCP servers lacking authentication, implement it immediately:

// Example: Adding authentication to an MCP server
const mcp = require('@anthropic-ai/mcp');
const crypto = require('crypto');

const server = new mcp.Server({
  authenticate: async (token) => {
    // Verify JWT or API key
    const decoded = verifyToken(token);
    return { userId: decoded.sub, permissions: decoded.scope };
  },
  authorize: async (user, tool, params) => {
    // Check if user has permission to call this tool
    return user.permissions.includes(tool.requiredPermission);
  }
});

If immediate authentication implementation isn't possible, consider:

• Network-level access controls (firewall rules, VPC isolation)
• API gateway authentication in front of MCP servers
• Temporary shutdown of non-essential MCP servers

Implement Input Validation

MCP servers should validate all inputs rigorously:

# Example: Input validation for MCP tool calls
from pydantic import BaseModel, validator
import re

class ListFilesRequest(BaseModel):
    path: str
    
    @validator('path')
    def validate_path(cls, v):
        # Prevent directory traversal
        if '..' in v or v.startswith('/'):
            raise ValueError('Invalid path')
        # Allow only alphanumeric and safe characters
        if not re.match(r'^[a-zA-Z0-9_\-/]+$', v):
            raise ValueError('Path contains invalid characters')
        return v

def list_files(request: ListFilesRequest):
    # Now safe to use request.path
    return os.listdir(request.path)

Enable Comprehensive Logging

You can't detect attacks you can't see. Implement detailed logging for all MCP activity:

{
  "timestamp": "2026-03-28T10:30:00Z",
  "event": "mcp_tool_call",
  "server_id": "mcp-prod-01",
  "client_id": "ai-agent-customer-support",
  "user": "user@company.com",
  "tool": "query_database",
  "params_hash": "sha256:abc123...",
  "result_status": "success",
  "duration_ms": 150,
  "source_ip": "10.0.1.100"
}

Ship these logs to your SIEM. Create alerts for suspicious patterns:

• Unusual tool call volumes
• Access to sensitive tools from unexpected clients
• Failed authentication attempts
• Error patterns that might indicate exploitation attempts

Medium-Term Strategy: Secure Architecture

Implement Zero Trust for MCP

Don't trust any MCP connection by default. Implement zero trust principles:

1. Verify Explicitly: Authenticate and authorize every MCP request
2. Use Least Privilege: Grant MCP clients only the permissions they need
3. Assume Breach: Monitor MCP traffic as if attackers are already inside

# Example: Zero Trust MCP policy
mcp_security_policy:
  default_deny: true
  
  clients:
    - name: customer-support-agent
      allowed_tools:
        - query_customer_db
        - update_ticket_status
      denied_tools:
        - admin_functions
        - financial_reports
      rate_limits:
        requests_per_minute: 60
        data_volume_mb_per_hour: 100
      
    - name: hr-onboarding-agent
      allowed_tools:
        - query_employee_db
        - create_user_account
      denied_tools:
        - query_customer_db
        - financial_tools

Deploy MCP Gateways

Instead of exposing MCP servers directly, route traffic through a security gateway:

AI Agents → MCP Gateway → Backend MCP Servers
                ↓
         Security Controls:
         - Authentication
         - Rate Limiting
         - Input Validation
         - Logging
         - Anomaly Detection

The gateway enforces security policies consistently across all MCP traffic. It can also provide additional defenses like request sanitization, response filtering, and circuit breakers for suspicious activity.

Implement Session Isolation

Prevent cross-client data leaks through proper session isolation:

# Example: Session isolation for MCP
import uuid
from contextvars import ContextVar

# Each MCP request gets a unique session context
session_context: ContextVar[dict] = ContextVar('session_context')

def handle_mcp_request(request, client_token):
    # Create isolated session
    session_id = uuid.uuid4()
    session_data = {
        'session_id': session_id,
        'client_id': verify_token(client_token),
        'start_time': datetime.utcnow(),
        'data_accessed': []
    }
    
    # Set context for this request
    token = session_context.set(session_data)
    
    try:
        # Process request in isolated context
        result = process_tool_call(request)
        
        # Log what data was accessed
        audit_log.info(f"Session {session_id} accessed: {session_data['data_accessed']}")
        
        return result
    finally:
        # Clean up context
        session_context.reset(token)

Long-Term Vision: Secure by Design

Demand Vendor Accountability

When evaluating AI agent and MCP solutions, require vendors to document:

• Which MCP servers they deploy and their security configurations
• Authentication mechanisms and how to integrate with your identity provider
• How they handle session isolation and data separation
• Their vulnerability disclosure and patching processes
• Evidence of third-party security assessments

Don't accept non-answers. Vendors who can't explain their MCP security posture are critical control gaps.

Build Internal MCP Security Expertise

MCP security is a specialized domain. Invest in training for your security team:

• MCP protocol internals and common vulnerability patterns
• AI agent behavior and how attackers exploit it
• Tools and techniques for MCP security assessment
• Incident response procedures for MCP-related breaches

Participate in Industry Collaboration

The MCP security crisis requires collective action:

• Share threat intelligence about MCP attacks
• Contribute to open-source MCP security tools
• Participate in standards development for secure MCP implementations
• Report vulnerabilities responsibly to help improve the ecosystem

FAQ: MCP Security for Enterprise Leaders

What is MCP and why should CISOs care about it?

The Model Context Protocol (MCP) is a standardized protocol that allows AI agents to connect to enterprise tools, databases, and APIs. CISOs should care because MCP has become the dominant integration method for AI agents - and recent research shows it has significant security vulnerabilities, with 30 CVEs filed in just 60 days and 38% of public MCP servers lacking authentication.

How do I know if my organization is using MCP?

MCP may be in use even if you haven't explicitly deployed it. Check for:

• AI agent projects that access multiple enterprise systems
• Vendor solutions that mention "context protocol" or "MCP"
• Development teams building AI integrations
• Cloud deployment logs showing MCP traffic patterns
• Network scans for MCP default ports (3000, 8080, 9000)

What are the most critical MCP vulnerabilities right now?

The most serious vulnerabilities include:

• CVE-2026-25536: Cross-client data leak in MCP TypeScript SDK
• CVE-2026-23744: Remote code execution in MCPJam Inspector
• Prompt injection through MCP's sampling interface
• Widespread lack of authentication on public MCP servers

How can attackers exploit MCP vulnerabilities?

Attackers can exploit MCP to:

• Steal data from AI agent sessions through cross-client leaks
• Execute code on MCP servers for persistent access
• Inject malicious prompts that compromise AI agent behavior
• Move laterally through connected enterprise systems
• Maintain persistence across AI agent restarts

What's the difference between MCP vulnerabilities and traditional API vulnerabilities?

MCP vulnerabilities are particularly dangerous because:

• MCP acts as connective tissue between multiple systems, amplifying impact
• AI agents act autonomously, eliminating human review checkpoints
• MCP's complexity creates a larger attack surface than typical APIs
• Many MCP deployments lack basic security controls like authentication

Should we stop using MCP entirely?

Complete avoidance may not be practical given MCP's widespread adoption. Instead:

• Conduct a security assessment of your MCP infrastructure
• Implement the hardening measures outlined in this article
• Consider MCP alternatives for high-security use cases
• Demand security improvements from MCP vendors
• Plan for a phased migration to more secure alternatives if necessary

How quickly do we need to act on MCP security?

With 30 CVEs in 60 days and active exploitation in the wild, MCP security should be treated as a high priority:

• Immediate: Inventory your MCP infrastructure and enable authentication
• Short-term: Implement input validation, logging, and monitoring
• Medium-term: Deploy MCP gateways and zero trust policies
• Ongoing: Monitor threat intelligence and maintain security updates

What questions should I ask MCP vendors?

Key questions include:

• Which MCP servers do you deploy and how are they secured?
• What authentication mechanisms do you support?
• How do you handle session isolation between clients?
• What's your vulnerability disclosure and patching process?
• Can you provide evidence of third-party security assessments?
• How do you prevent prompt injection through MCP connections?

How does MCP security relate to broader AI agent security?

MCP security is a component of AI agent security, but it's a critical one. Even if your AI agents themselves are secure, vulnerable MCP connections can expose them to attacks. A comprehensive AI agent security strategy must include MCP assessment and hardening.

What are the signs of an MCP-related security incident?

Watch for:

• Unusual data access patterns from AI agents
• Failed authentication attempts against MCP servers
• Unexpected tool calls or data queries
• Error messages indicating session conflicts
• Network traffic to unknown MCP endpoints
• Reports of data exposure from AI agent interactions

The Road Ahead: Securing AI Agent Infrastructure

The MCP security crisis is a wake-up call. As organizations rush to deploy AI agents, they're building on infrastructure that wasn't designed with security as a primary concern. The 30 CVEs in 60 days aren't a failure of any single vendor - they're a symptom of an industry moving faster than its security practices can support.

But this crisis also presents an opportunity. Organizations that take MCP security seriously now will have a significant advantage. They'll be able to deploy AI agents with confidence, knowing their infrastructure can withstand attacks. They'll avoid the breaches and data exposures that will inevitably hit organizations that ignored the warning signs.

The path forward requires a fundamental shift in how we approach AI agent security:

From Implicit Trust to Explicit Verification:
Don't assume MCP connections are secure. Verify authentication, validate inputs, and monitor traffic. Treat every MCP server as potentially hostile until proven otherwise.

From Rapid Deployment to Secure Deployment:
The race to deploy AI agents has created security debt. Pay it down. Implement proper security controls before expanding AI agent deployments. Security isn't a feature you can add later - it's a foundation you must build on.

From Isolated Tools to Integrated Defense:
MCP security doesn't exist in a vacuum. It requires coordination between AI teams, security teams, and infrastructure teams. Break down silos and build integrated defense strategies that cover the entire AI agent ecosystem.

From Reactive Patching to Proactive Hardening:
Don't wait for the next CVE to secure your MCP infrastructure. Implement defense-in-depth now. The vulnerabilities we know about are bad enough - the ones we haven't discovered yet could be worse.

Conclusion: The Protocol That Connects Everything Must Be Secure

The Model Context Protocol promised to solve a real problem: how do we let AI agents securely access enterprise tools? But in the rush to realize that promise, security became an afterthought. The result is an infrastructure crisis that threatens to undermine the entire AI agent ecosystem.

Organizations using AI agents must act now. The vulnerabilities are real. The attacks are happening. The only question is whether you'll be a victim or a defender.

Start with inventory. Know what MCP infrastructure you have. Then harden it. Enable authentication. Implement monitoring. Deploy gateways. Build zero trust policies. And demand better from vendors.

The MCP security crisis is a challenge, but it's also an opportunity. The organizations that solve it will be the ones that can safely harness the power of AI agents. The ones that ignore it will become cautionary tales.

Your AI agents are only as secure as the protocols connecting them. It's time to secure the connection.

---

Stay ahead of emerging AI security threats. Subscribe to the Hexon.bot newsletter for weekly insights on securing AI agents and enterprise AI infrastructure.