The State of MCP Server Security — 2026 Audit

Published: 2026-03-13 | Author: Nerq Research

We scanned 17,468 MCP servers indexed by Nerq for known vulnerabilities. The results are concerning.

Key Findings

• 49 CVEs found across the MCP ecosystem
• 9 CRITICAL severity (CVSS 9.0+)
• 31 HIGH severity (CVSS 7.0-8.9)
• 8 MEDIUM severity
• Several of the most-downloaded MCP servers have unpatched vulnerabilities

Why This Matters

MCP (Model Context Protocol) servers are the bridge between AI models and external tools. When Claude, ChatGPT, or any LLM uses an MCP server to read files, query databases, or make API calls, it's trusting that server with access to sensitive systems.

A compromised MCP server can:

1. Exfiltrate data — read files, database contents, API keys and send them to an attacker
2. Execute arbitrary code — if the MCP server has shell access, a vulnerability could allow remote code execution
3. Poison model context — inject misleading data that causes the AI to make wrong decisions
4. Lateral movement — use the MCP server's network position to access internal systems

The Most Common Vulnerabilities

Dependency chain risks

Most MCP servers are thin Node.js or Python wrappers around SDK libraries. When those SDK libraries have CVEs, every MCP server built on them inherits the vulnerability — often without the maintainer even knowing.

No input validation

Many MCP servers pass user-provided parameters directly to system calls without sanitization. This is especially common in filesystem and database MCP servers.

Overpermissioned by default

MCP servers frequently request more permissions than they need. A server that only needs to read files will request write access "just in case."

What You Should Do

1. Check your MCP servers: curl "https://nerq.ai/v1/preflight?target=YOUR_MCP_SERVER"
2. Review the CVE data: Nerq Trust Score v2 includes a Security dimension (15% weight) that factors in CVE count and severity
3. Pin versions: Don't use latest for MCP server dependencies
4. Audit permissions: Review what each MCP server can actually access

How Nerq Detects These Issues

Our CVE scanner cross-references the GitHub Advisory Database with our agent index. For each agent:

• We check the repository and its dependency tree for known CVEs
• Severity scoring follows CVSS v3.1 (CRITICAL/HIGH/MEDIUM/LOW)
• Results feed into the Security dimension of Trust Score v2
• Agents with unpatched CRITICAL CVEs get flagged with a DENY recommendation in preflight checks

Check Any MCP Server

# Single check
curl "https://nerq.ai/v1/preflight?target=filesystem-mcp-server"

# Batch check all your MCP servers
curl -X POST https://nerq.ai/v1/preflight/batch \
  -H "Content-Type: application/json" \
  -d '{"targets": ["mcp-server-1", "mcp-server-2", "mcp-server-3"]}'

# Python
from nerq import NerqClient
client = NerqClient()
r = client.preflight("your-mcp-server")
print(r.cve_count, r.recommendation)

---

Data from the Nerq Trust Index, covering 17,468 MCP servers from official registries and GitHub. CVE data sourced from GitHub Advisory Database. Updated daily.