News

MCP Security Risks: How Vulnerabilities Compound Across Servers

Article Highlights:
  • 72% of MCP servers expose critical security vulnerabilities to attackers
  • Compounded risk escalates from 36% with 2 servers to 92% with 10 MCP servers
  • 13% of MCP servers accept input from unsafe sources like email, chat, and web pages
  • Constraining permissions, minimizing servers, and testing data flows are essential strategies
  • MCP security must be addressed at the system level, not just at component level
  • OAuth 2.1 prevents unauthorized access but doesn't stop malicious data between servers
  • Real-world attacks exploit data flow across interconnected servers in MCP systems

Introduction

Model Context Protocol (MCP) has revolutionized how large language models connect to tools and data sources, but new research from Pynt, an API security firm, reveals that this flexibility comes at a security cost. The study analyzes risks across 280+ popular MCP servers, discovering that vulnerabilities grow exponentially when systems combine multiple servers simultaneously.

The Problem: Growing Vulnerabilities in MCP Servers

MCP was launched by Anthropic in November 2024 and rapidly adopted by OpenAI and Microsoft by spring 2025. Today the protocol connects to over 6,000 servers, but the flexible, modular design that makes it popular also creates significant security vulnerabilities. The core issue: when systems combine multiple MCP servers, security risks don't add linearly—they compound exponentially.

Alarming Findings from the Research

Golan Yosef's study identified widespread vulnerability patterns. 72% of tested servers expose at least one sensitive capability to attackers, while 9% are classified as high-risk. 13% of servers accept input from unsafe sources (emails, chats, scraped web pages), allowing attackers without direct access to deliver malicious text that downstream servers might interpret as code.

How Compounded Risk Escalates Rapidly

The research reveals a critical insight: the risk of a vulnerable configuration increases dramatically with each server added, at least initially. With 2 servers, the probability of a vulnerable configuration reaches 36%. With 3 servers it climbs to 52%. With 5 servers it exceeds 71%, and with 10 servers it approaches 92%.

  • 2 MCP servers: 36% probability of vulnerability
  • 3 MCP servers: 52% probability
  • 5 MCP servers: 71% probability
  • 10 MCP servers: 92% probability

Real-World Attacks: When Risk Becomes Concrete

The Pynt study isn't merely theoretical. Yosef validated his risk model by attacking real-world MCP configurations in the field, proving that vulnerabilities can be exploited practically. One concrete example: an attacker supplied malicious HTML to a web scraper plug-in, which a Markdown parser interpreted as commands, automatically executed by a shell plug-in without user authorization.

"Securing individual components is a tough task in its own right, but systems of MCP components must be secured at the system level."

Pynt Research

Why MCP Presents These Risks

MCP was designed to support flexible, open-ended agentic interactions. This quality makes it powerful, but also vulnerable. Vulnerability emerges from the intersection of three factors:

  1. Unverifiable input sources: MCP servers often process data from emails, chats, Slack, or web pages, with no guarantee that the origin is secure.
  2. Powerful capabilities: Many servers have access to critical actions like code execution, file access, and API calls.
  3. Lack of isolation: Data flow between servers isn't sufficiently controlled, allowing a compromised server to influence others.

The Evolution of MCP Security

MCP security has only been partially addressed. Until March 2025, authentication was optional. Only then were OAuth 2.1 authorization frameworks added, which prevent unauthorized access to MCP servers. However, this doesn't prevent malicious or malformed data from flowing between servers and triggering unintended actions.

Mitigation Strategies: How to Secure MCP Systems

Researchers suggest developers mitigate "compositional risk" through three primary approaches:

  • Minimize server count: Using only necessary MCP servers reduces the attack surface significantly.
  • Constrain permissions strictly: Rigorously limit what each server is authorized to do (code execution, file access, API calls).
  • Test data flows: Carefully verify data transfers between servers to identify possible attack vectors.

The Gap Between Secure Components and Secure Systems

MCP security highlights a broader systemic problem in AI: ensuring individual component security is difficult, but protecting entire systems is an even greater challenge. A single secure server can become an attack vector when interacting with other servers in unexpected ways. The research emphasizes that security must be addressed at the system level, not just at the component level.

Conclusion

MCP has transformed how language models access tools and data, but Pynt's research reveals that convenience carries a significant security price. With 72% of servers exposing vulnerabilities and risks climbing to 92% with 10 servers, developers cannot ignore these issues. The good news: practical mitigation strategies exist. By using only necessary servers, constraining permissions, and testing data flows, risk can be significantly reduced. As MCP continues growing beyond 6,000 servers today, system-level security will become not just a best practice but a necessity.

FAQ

What is Model Context Protocol (MCP) and why does it pose security risks?

MCP is a protocol launched by Anthropic that connects language models to tools and data sources. It poses security risks because its flexible design allows multiple servers to interact in uncontrolled ways, creating vulnerabilities that compound exponentially as the number of servers increases.

What percentage of MCP servers are vulnerable according to research?

Pynt's study found that 72% of tested MCP servers expose at least one sensitive capability to attackers, while 9% are classified as high-risk. 13% accept input from unsafe sources, making systems vulnerable to indirect attacks.

How do MCP risks grow when adding more servers?

The risk of a vulnerable configuration grows rapidly with each server: 2 servers = 36%, 3 servers = 52%, 5 servers = 71%, 10 servers = 92%. This exponential growth shows how compounded risk becomes the real problem in multi-server systems.

What are three main strategies to protect MCP systems?

Researchers recommend: (1) minimizing the number of servers used, (2) strictly constraining each server's permissions by limiting code execution, file access, and API calls, and (3) testing data flows between servers to identify attack vectors.

Did OAuth 2.1 solve MCP security problems?

OAuth 2.1, added in March 2025, prevents unauthorized access to MCP servers, but doesn't solve the core problem: malicious or malformed data can still flow between servers and trigger unintended actions without additional authentication layers.

What is a real-world MCP attack example documented by research?

An attacker supplied malicious HTML to a web scraper plug-in, which a Markdown parser interpreted as commands, automatically executed by a shell plug-in without user authorization. This demonstrates how vulnerabilities are exploited in practice across interconnected servers.

Introduction Model Context Protocol (MCP) has revolutionized how large language models connect to tools and data sources, but new research from Pynt, an API Evol Magazine