State of MCP Server Security 2026

Over the past several months, CraftedTrust has scanned and scored more than 4,274 MCP servers across the ecosystem. These servers span every category -- from database connectors and file system tools to API gateways and code execution environments. We evaluated each one against our 12-factor trust framework, aligned with CoSAI, OWASP, NIST AI RMF, EU AI Act, and AIUC-1 standards.

The results paint a clear picture: the MCP ecosystem has a security problem. The protocol itself is well-designed, but the servers implementing it are, in aggregate, falling short on authentication, injection resistance, dependency hygiene, and compliance readiness. This report presents the data as we see it -- the good, the bad, and the areas that need immediate attention.

Grade Distribution Across 4,274+ Servers

Every server scanned by CraftedTrust receives a letter grade (A through F) derived from weighted scores across all 12 trust factors. Here is the current distribution:

A (Excellent): 4.2% -- Only 179 servers meet the bar for strong security across all 12 factors. These tend to be maintained by established companies or security-conscious open source teams.
B (Good): 11.8% -- Roughly 504 servers demonstrate solid fundamentals but have gaps in one or two areas, typically compliance mapping or advanced injection testing.
C (Acceptable): 23.1% -- About 987 servers pass basic checks but show meaningful weaknesses. Missing authentication, outdated dependencies, or no input validation are common at this tier.
D (Poor): 34.6% -- The largest single group at 1,479 servers. These fail multiple trust factors and represent real risk if connected to production AI agents.
F (Failing): 26.3% -- 1,125 servers fail critical security checks. Many have no authentication whatsoever, known vulnerable dependencies, and zero compliance alignment.

"Over 60% of MCP servers in the wild score a D or F. That means the majority of servers that an AI agent could connect to have not met even a baseline security standard."

These numbers are concerning, but they also represent an opportunity. The ecosystem is young, and the tooling to improve is now available. The servers that have engaged with CraftedTrust certification have shown dramatic improvements -- more on that below.

Authentication Gaps: The Most Common Finding

The single most prevalent issue across the servers we scanned is missing or weak authentication. Of the 4,274 servers evaluated:

52.3% implement no authentication mechanism at all. Any agent that discovers the server can connect and invoke tools without presenting credentials.
18.7% use a static API key passed in plaintext, often hardcoded in configuration files or example code that gets committed to public repositories.
14.1% implement some form of token-based auth but do not enforce expiration, rotation, or scope restrictions.
Only 14.9% implement a robust authentication pattern such as OAuth 2.0, mutual TLS, or scoped API keys with rotation policies.

This matters because MCP servers are not passive endpoints. They execute actions on behalf of AI agents -- reading files, querying databases, making API calls, running code. An unauthenticated MCP server is an open door to whatever resources that server has access to.

Why Auth Is Lagging

Many MCP server authors come from a prototyping mindset. The MCP specification does not mandate a specific authentication scheme, which leaves implementation entirely to the developer. In the rush to ship a working server, auth is often deferred -- and then never implemented. The result is thousands of servers that work perfectly in a local development environment but become a liability the moment they are exposed to a network.

Injection Resistance: A Widespread Vulnerability

MCP servers sit at a unique intersection: they receive structured input from AI agents, which in turn receive input from users. This creates a two-stage injection surface that many server authors have not accounted for.

Prompt injection vectors: 41.8% of servers pass agent-supplied parameters directly into system prompts, database queries, or shell commands without sanitization. An attacker who controls part of the conversation can influence what the MCP server executes.
Command injection: 28.4% of servers that invoke shell commands or subprocess calls do so with string concatenation rather than parameterized execution. Classic command injection patterns apply.
SQL injection: 16.2% of database-connected servers construct queries via string interpolation rather than prepared statements.
Path traversal: 22.7% of file system servers do not adequately restrict or validate file paths, allowing access outside the intended directory scope.

The overlap between these categories is significant. A server that is vulnerable to prompt injection is often also vulnerable to command injection, because the root cause is the same: unsanitized input flowing into sensitive operations.

Dependency Health: The Supply Chain Extends Into MCP

The software supply chain problem that has plagued npm and PyPI for years has followed developers into the MCP ecosystem. Our dependency health scans, powered by Touchstone CVE research, reveal the following:

38.9% of servers have at least one dependency with a known critical or high-severity CVE.
57.2% have dependencies that have not been updated in over 12 months.
14.6% depend on packages that have been deprecated or abandoned by their maintainers.
6.3% include dependencies flagged for suspicious behavior patterns -- packages with install scripts that make network calls, obfuscated code, or unexpected permission requests.

The dependency problem is especially acute because MCP servers tend to be small, single-purpose projects. Maintainers build them, publish them, and move on. Without ongoing maintenance, the dependency tree rots. Six months after publication, a server that was secure at launch may have accumulated multiple known vulnerabilities through its dependencies alone.

Compliance Readiness: Nearly Nonexistent

CraftedTrust maps each server's security posture against five major compliance and governance frameworks: CoSAI, OWASP AI Security, EU AI Act, NIST AI RMF, and AIUC-1. The results here are stark:

3.1% of servers demonstrate alignment with all five frameworks.
8.7% align with at least three frameworks.
21.4% partially align with one or two frameworks, typically OWASP or CoSAI, due to overlap with general web security practices.
66.8% show no meaningful compliance alignment with any framework.

For enterprises evaluating MCP servers for production use, this is a serious blocker. Regulatory requirements under the EU AI Act and internal governance policies under NIST AI RMF increasingly apply to AI agent infrastructure -- and MCP servers are part of that infrastructure. Connecting an AI agent to a non-compliant server introduces regulatory risk that compliance teams cannot accept.

Transport Security: Better, But Not Good Enough

Transport security is the one area where the ecosystem performs relatively well, though there are still gaps:

71.3% of remotely accessible servers enforce TLS for incoming connections.
12.4% support TLS but do not enforce it -- they accept both encrypted and unencrypted connections.
16.3% of remote servers operate without TLS entirely.
Of the servers using TLS, 8.9% have certificate issues: expired certificates, self-signed certificates in production, or certificates with mismatched hostnames.

The relatively high TLS adoption rate likely reflects the fact that most MCP servers are deployed on platforms (cloud providers, containerized environments) that make TLS configuration straightforward. However, the 16.3% operating without encryption is still too high for a protocol that transmits tool invocation results -- which can include sensitive data, credentials, and PII.

The Good News: Certification Drives Real Improvement

The data is not all bleak. Servers that have engaged with the CraftedTrust certification program show measurably better security posture:

Servers that completed certification improved their overall trust score by an average of 34 points (on a 100-point scale).
91% of certified servers now implement proper authentication, compared to 14.9% across the general population.
87% of certified servers pass all injection resistance checks.
100% of certified servers enforce TLS with valid certificates.
Certified servers align with an average of 4.2 out of 5 compliance frameworks.

The certification process works because it provides specific, actionable feedback. When a server author knows exactly which checks they are failing and why, the path to improvement becomes concrete rather than abstract. The on-chain EAS attestation that anchors each certification also creates accountability -- it is a public, verifiable record that cannot be quietly revoked.

Recommendations for the Ecosystem

Based on the data from our scans, here is what we believe the MCP ecosystem needs to prioritize:

1. Implement Authentication by Default

MCP server frameworks and starter templates should ship with authentication enabled out of the box. The default state of a new MCP server should be "locked down," not "open to all." At minimum, every server should require an API key. Ideally, servers should support OAuth 2.0 or mutual TLS for production deployments.

2. Sanitize All Input

Every parameter received from an AI agent should be treated as untrusted input. Use parameterized queries for database operations, avoid shell command string concatenation, validate file paths against an allowlist, and never pass raw agent input into system prompts or configuration.

3. Scan and Update Dependencies Continuously

Run automated dependency audits on every commit. Set up Dependabot, Renovate, or a similar tool to keep packages current. Remove unused dependencies. Pin versions in production. If a dependency has a known CVE, patch it or replace it.

4. Map to a Compliance Framework

Even if your server is an open source side project, aligning with at least one framework (CoSAI or OWASP AI Security are good starting points) forces you to think systematically about security. For enterprise-targeted servers, mapping to NIST AI RMF and EU AI Act requirements is increasingly non-negotiable.

5. Enforce TLS Everywhere

If your MCP server is accessible over a network, enforce TLS. Use a valid certificate from a trusted CA. Configure HSTS headers. Do not accept unencrypted connections. This is table stakes in 2026.

6. Consider Certification

Third-party security validation provides signal that self-assessment cannot. The CraftedTrust certification program evaluates servers against all 12 trust factors and anchors the result as an on-chain attestation. It takes the guesswork out of trust decisions for the developers and agents consuming your server.

How CraftedTrust Helps

CraftedTrust MCP Shield is the public trust surface that makes all of this measurable, and it now sits inside a broader platform that also includes research, identity, audit, governance, trace visibility, and enterprise controls. In the context of MCP security, here is what the platform provides:

12-Factor Trust Scoring: Every server is evaluated across source verification, permission scope, code quality, dependency health, maintainer reputation, update frequency, community validation, authentication, transport security, injection resistance, data handling, and compliance alignment. Scores are updated continuously as servers change. Read the full methodology.
Touchstone CVE Research: Our proprietary CVE engine continuously maps known vulnerabilities to the dependency trees of every scanned server. This goes beyond standard advisory databases -- Touchstone identifies transitive vulnerability chains and flags dependency combinations that create compound risk. Learn more about Touchstone.
Certification Program: Servers that pass a deeper manual review receive a premium trust badge and an on-chain EAS attestation on Base. Premium trust verification and related high-assurance workflows can also be gated through machine-native payment flows such as x402 where appropriate.
Audit, Governance, and Identity: AgentGov, audit receipts, shared identity, and enterprise controls give teams a way to turn trust scores into enforceable policy, operational visibility, and documented oversight. Explore the Agent Trust Stack.
Public API and MCP Tools: Six MCP tools available at /api/v1/mcp allow developers and agents to programmatically query trust scores, check certifications, and verify attestations before connecting to any server.

What Comes Next

The MCP ecosystem is still in its early stages. The security posture we see today is a snapshot of a rapidly evolving landscape. More servers are being published every week, and the protocol itself continues to mature. The question is whether security practices will keep pace with adoption.

We plan to publish this report on a quarterly basis, tracking how the grade distribution shifts over time. Our goal is not to alarm but to provide the data that drives improvement. Every server that moves from an F to a C, or from a C to an A, makes the entire ecosystem safer for the agents and users that depend on it.

Explore the full registry at mcp.craftedtrust.com, or visit craftedtrust.com/platform for the broader CraftedTrust platform.