When Microsoft's security team patched a critical vulnerability in their Azure MCP Server last March, the post-mortem revealed something uncomfortable: the bug wasn't exotic. An attacker could steal a managed identity token because the MCP server made outbound requests that included it. Trivial, once you knew where to look.
That vulnerability, CVE-2026-26118 with a CVSS score of 8.8, is one of more than 30 CVEs filed against MCP servers in January and February 2026 alone. But calling this a protocol problem misses the point, argues Nik Kale, a principal engineer and contributor to IETF working groups on AI agent identity. In a perspective piece published this week on SC Media, Kale argues that MCP's security flaw is not a technical vulnerability: it is a missing layer of identity architecture that the entire ecosystem has normalized.
The human disappears at the boundary
MCP, the Model Context Protocol, was built to let AI agents talk to external tools and data sources in a standardized way. Microsoft, Google, Amazon, and most other agent frameworks have adopted it. It ships with no authentication enabled by default.
That default matters more than it sounds. When a human asks an agent to do something, the agent connects to an MCP server to execute it. At that connection point, the human's identity vanishes. The MCP server sees a request from an authenticated agent using a static API key or service account. It has no way to know which human authorized the action, what scope they intended, or whether the action makes sense in context.
Kale calls this "the identity that disappears at the MCP boundary." He should know: he built multi-agent systems serving hundreds of thousands of users before running into exactly this problem. His team solved it by propagating the initiating user's identity through every agent action, tying each action back to a specific human, session, and context. MCP, as currently deployed, breaks that traceability chain at every server boundary.
What actually happened in the real-world incidents
The Google Antigravity incident from December 2025 illustrates the pattern. An agent deleted a user's entire D: drive while clearing a cache. Technically, it had the authorization: the credentials were valid, the action was permitted. What was missing was the link between the agent's action and the human who supposedly authorized it.
The Replit incident followed the same script. An agent deleted a production database it had determined was obsolete. Again: valid credentials, permitted action, human accountability nowhere to be found.
These aren't edge cases. Adversa AI found that nearly 38% of the 500-plus MCP servers it scanned lack authentication. Knostic's research identified 1,862 MCP servers accessible over the internet with no identity governance controls. Separate analysis of 2,614 MCP implementations found that 82% use file operations vulnerable to path traversal attacks.
Gartner predicts that by 2028, 25% of enterprise breaches will involve AI agents, not through sophisticated prompt injection attacks, but through the most basic failure mode: an agent used credentials that nobody could trace back to a human.
The fix exists. The question is deployment.
Kale's three recommendations are concrete. First, implement OAuth On-Behalf-Of flows for every MCP server connection. Microsoft's Identity and Security Engineering (ISE) team has published a production-ready implementation of OAuth 2.1 with OBO flows. MuleSoft's Agent Fabric includes identity propagation as a feature. The technology is available; the question is whether teams are using it.
Second, treat MCP server discovery as an identity governance problem. Noma Security's research found that more than 90% of organizations deploy MCP servers with default configurations that expose all tools, including potentially destructive ones. If your security team can't inventory every MCP server, the identities those servers use, and the tools they expose, you have an unmanaged attack surface that grows every time a developer spins up a new agent.
Third, log the reasoning chain alongside the identity chain. When an attacker steals a managed identity token via SSRF, as happened in CVE-2026-26118, you need to know not just which identity was compromised but what the agent was attempting to do at the time.
The deeper problem
The industry has responded to this pattern by building gateway products and writing better specifications. Kale argues this misdiagnoses the problem. A gateway without identity propagation is a firewall for traffic that has already lost its most important metadata: who asked for this.
The MCP ecosystem grew fast enough that security normalized around credentials with no human in the loop. Agents can do things that would normally require human approval because the infrastructure was never designed to pass that approval through. The 38% unauthenticated servers aren't a mystery. They're what happens when a protocol ships with a developer-friendly default and an ecosystem scales it into production without revisiting that default.
The patch for CVE-2026-26118 closed the specific vulnerability. The identity gap it exposed is still open.
Primary source: Nik Kale, "MCP isn't a protocol problem. It's an identity crisis nobody is treating," SC Media, April 6, 2026
