What is prompt injection in MCP servers?

A malicious MCP server (or poisoned tool response) injects instructions into the agent's context that override legitimate commands, causing it to exfiltrate data, run arbitrary commands, or bypass security checks.

What is an SSRF vulnerability in an MCP server?

Server-Side Request Forgery — the MCP server will fetch any URL it's given, including internal metadata endpoints (169.254.169.254 on AWS). Attackers use this to steal IAM credentials, session tokens, and internal API keys.

How did Anthropic's mcp-server-git get exploited?

Cyata Security found 3 flaws: arbitrary file read via path traversal, arbitrary code execution via prompt injection, and chain exploit combining filesystem + git MCP to achieve RCE. Anthropic quietly patched in Jan 2026.

How many MCP servers have security vulnerabilities?

BlueRock Security analyzed 7,000+ public MCP servers: 36.7% are SSRF-vulnerable, 41% require no authentication at all. Only 8.5% use OAuth.

What tools exist to scan MCP servers for vulnerabilities?

mcp-scan (Stytch), Backslash Security MCP scanner, MCP-Scanner on HN. All early-stage. No category leader with significant traction yet.

What CVEs have been filed against MCP servers in 2026?

40+ CVEs filed between Jan-Apr 2026. Includes RCE in Anthropic mcp-server-git (Jan 2026), SSRF in Azure MCP (CVE-2026-26118, March 2026), systemic RCE in MCP SDK stdio transport affecting 150M+ downloads (April 2026).

← Back to dashboard

clawsmith.com/signal/mcp-security-crisis-ssrf-rce-40-cves

⚠ IssueWide Openai_agent_mcpLive

MCP Security Crisis: 40+ CVEs, 36% SSRF Exposure, Prompt Injection at Scale

BlueRock Security analyzed 7,000+ public MCP servers: 36.7% have SSRF vulnerabilities, 41% require no authentication at all. Anthropic's own mcp-server-git shipped with 3 RCE-enabling flaws (quietly patched Jan 2026). OX Security disclosed a systemic RCE in MCP SDK stdio transport affecting all language SDKs and 150M+ downloads. Trend Micro found 492 MCP servers exposed with zero auth. Between Jan-Apr 2026, 40+ CVEs filed. A Reddit post on r/netsec about AI coding tools leaking secrets via config directories got 163 upvotes and 17 comments. The 'S in MCP stands for Security' article went HN-front-page.

Product Idea from this Signal

A CLI tool that scans any public MCP server for SSRF, missing auth, and stdio RCE flaws before a developer adds it to their agent config

180 ▲

Between January and April 2026, 40+ CVEs were filed against MCP servers. BlueRock Security scanned 7,000+ public MCP servers and found 36.7% have SSRF vulnerabilities and 41% require no authentication at all. OX Security disclosed a systemic RCE in the MCP SDK's stdio transport affecting 150M+ downloads, and Anthropic's own mcp-server-git shipped with three RCE-enabling flaws that were quietly patched. Every developer adding a third-party MCP server to their agent config is implicitly trusting code that, statistically, has a one-in-three chance of SSRF exposure and nearly even odds of requiring no auth at all. This tool lets a developer run a single command against any public MCP server's GitHub repo URL or running endpoint and get a line-level trust report covering SSRF patterns in tool parameter handling, auth posture on tool routes, prompt injection strings in tool descriptions, and unsanitized shell calls in stdio transport handlers, before the server ever touches their agent config.

CLISECURITYMCPDEVTOOLSTATIC-ANALYSISAGENT-SECURITY

Competitive24 leadsView Opportunity →

Score Breakdown

180

Social Proof 2 sources

AI coding tools are leaking secrets via configuration directories

2/1/2026

180 HN

Show HN: We scanned 306 MCP servers – 10% have critical vulnerabilities

2/3/2026

Gap Assessment

Wide OpenNo dedicated solution exists

No standard auth enforcement layer, no universal MCP security scanner with >1k traction. mcp-scan and Backslash Security are early-stage. OWASP top 10 LLM ranks prompt injection #1 but no category-leader solution for MCP-specific security.

Frequently Asked Questions

Virality Score

180

across 0 platforms

Details

Signalissue

Ecosystemai_agent_mcp

Sources2

Platforms0

Updated2h ago

Trend→ stable

Top ideas

All ideas →

0A mobile app that detects and removes AI-generated tracks from your Spotify playlists before you hear them 0A web app that tracks AI coding tool spend across Copilot, Claude Code, and Cursor, normalized per commit and per PR 0A browser extension that monitors installed extensions for ownership transfers, permission scope changes, and suspicious outbound data requests in real time

Related signals

All signals →

1.1KOpenAI MCP Support in Agents SDK Signals Full Ecosystem Lock-In 923MCP Context Bloat Is Breaking Enterprise AI Agents 261Shadow MCP: Employees Deploying Unauthorized MCP Servers Without IT Oversight