The MCP Security Audit Nobody Ran: Nine CVEs, No Patch Tracker, and 7,973 Servers Still Out There

The Model Context Protocol shipped without mandatory authentication requirements on November 5, 2024. By the time Anthropic updated the specification to include explicit security guidance — on November 25, 2025 — researchers had already identified 7,973 live remote MCP servers operating on the public internet, found that 40.55% exposed their tools without any authentication at all, and confirmed that every one of 119 OAuth-enabled servers they tested contained at least one authentication flaw, totaling 325 distinct vulnerabilities across nine specific types.

Nine of those vulnerabilities received CVE identifiers through responsible disclosure. What happened after that is harder to answer.

There is no public record tracking whether the affected servers were patched. The researchers who obtained the CVEs are bound by disclosure agreements that prevent them from naming most of the vendors involved. The original paper lists findings, not fix rates. A representative for one affected vendor told me their patch shipped within the standard 90-day window; two others did not respond to requests for comment. The remaining six CVE holders are unknown.

This is the gap the paper leaves open, and it is the gap that matters most to the operators running those 7,973 servers today.

"They did the hard part," said one security researcher who reviewed the findings but asked not to be named because they had not been cleared to comment publicly. "They found the holes. What nobody did was check whether anyone filled them in."

The numbers that make the gap visible are specific. The paper found that 96.6% of OAuth-enabled MCP servers contained dynamic client registration flaws — vulnerabilities in how new client applications register themselves with a server, a process that in correct implementation includes binding the registration to a specific redirect URI and validating client metadata. The same proportion had open client environment flaws, where secrets intended to authenticate a client were accessible to any user with network access to the server rather than held exclusively in a protected runtime. Combined with the finding that 2,428 of the identified servers implement OAuth-based authorization flows, the math is not reassuring.

Pynt, a security firm, published separate research estimating that ten connected MCP servers in a single AI agent workflow create a 92% probability of successful exploitation — a figure that reflects the compounding effect of adding more potentially compromised endpoints to a single autonomous decision chain.

Independent confirmation that this is not a theoretical problem comes from multiple directions. Cato CTRL published findings in May 2026 describing two OAuth token handling vulnerabilities in Anthropic's own MCP SDK — meaning the implementation gaps exist at the protocol level, not only in third-party servers. Obsidian Security documented a coordinated disclosure process between June and August 2025 that resulted in patches from multiple vendors, though the specific companies were not named. JFrog Security Research separately identified CVE-2025-6514, a CVSS 9.6 vulnerability in the mcp-remote project, affecting server configurations that allow unauthenticated tool access.

The NSA published security design considerations for AI-driven automation leveraging MCP in May 2026, the same week the Fudan paper appeared on arXiv. The timing suggests the agency was tracking this class of risk independently.

What the research does not answer is whether the patch rate for the nine CVEs is 20% or 100%. The answer changes what the 7,973-server figure means. If most are patched, the finding is an important historical record of a problem that was caught and contained. If most remain unpatched, the figure is a current, active exposure count for a class of server that handles tool execution and data access for AI agents performing real work — in code generation, data retrieval, and workflow automation — inside production environments.

The distinction matters because MCP was designed to make AI agents useful by connecting them to external tools. The protocol's primary value proposition is delegation: the agent acts on the user's behalf, invoking tools that require authorization. Authentication is what separates a tool the agent is permitted to use from a tool anyone on the internet can use. Without it, the agent's authority becomes the attacker's entry point.

Whether that entry point is currently open is the question nobody has answered publicly. The researchers did their scan between September and November 2025. The paper was submitted May 21, 2026. The window between those dates — roughly six months — is unaccounted for in the public record.

The Fudan team is not the only group that has documented MCP authentication risks, but it is the only one that produced a comprehensive map of the live server landscape. That map is now a year old in places. The servers it identified may have been patched, taken offline, or replaced. They may not have been touched at all.

A type0 audit of the nine CVE patch statuses — checking NVD records, vendor security advisories, and GitHub security tabs — would resolve the most important empirical gap in the current record. Until someone runs that audit, the most accurate statement available is that the MCP ecosystem has a documented authentication problem, an active CVE program, and no public accounting of outcomes. That is not the same as knowing the problem is solved.