30 CVEs in 60 Days: The MCP Security Reckoning Has Arrived
The Model Context Protocol went from “promising standard” to “active threat surface” faster than anyone predicted.
Between January and March 2026, security researchers filed over 30 CVEs targeting MCP servers. The root causes aren’t exotic zero-days. They’re the same vulnerabilities AppSec teams have been fighting for twenty years: command injection, path traversal, SSRF, missing authentication.
The difference? These vulnerabilities now give attackers direct access to AI agents with broad system permissions.
MCPwnfluence: The Wake-Up Call
In early March, researchers at Pluto Security disclosed an attack chain that crystallized the problem. They called it MCPwnfluence - two vulnerabilities in the widely-deployed mcp-atlassian server that chain together for unauthenticated remote code execution.
Arbitrary File Write via Path Traversal
The download_attachment tool accepts attacker-controlled file paths without validation. An attacker can write malicious content to any location on the filesystem - ~/.bashrc, ~/.ssh/authorized_keys, cron directories.
Unauthenticated SSRF via Custom Headers
The server accepts arbitrary URLs via HTTP headers, turning the MCP server into an SSRF proxy. Attackers can reach cloud metadata endpoints (169.254.169.254), scan internal services, and map the victim’s network.
The attack chain is devastatingly simple:
Local Network
CVE-2026-27826
CVE-2026-27825
Root
Two HTTP requests from your local network. Coffee shop WiFi just became dangerous for developers running MCP servers.
mcp-atlassian binds to 0.0.0.0 by default with no authentication. The developers assumed it would only be accessed locally by the AI client. Attackers made no such assumption.
The Five Attack Patterns
Analyzing the 30+ CVEs reveals five recurring patterns. These aren’t theoretical - every pattern has multiple confirmed CVEs.
1. Tool Poisoning
Malicious instructions hidden in tool descriptions. The AI reads the description to understand what the tool does - and executes whatever instructions are embedded there.
2. Prompt Injection via External Data
Attacks embedded in GitHub issues, Slack messages, database records. The agent fetches “data” that’s actually an attack payload.
3. Trust Bypass
Exploiting “approve once, trust forever” permission models. One legitimate approval creates a persistent backdoor for future malicious requests.
4. Supply Chain Attacks
Malicious MCP servers in package registries. Typosquatting, dependency confusion, and compromised maintainer accounts.
5. Cross-Tenant Exposure
Shared infrastructure breaking isolation. One tenant’s agent can access another tenant’s data through MCP server misconfigurations.
OWASP Agentic Top 10 Mapping
Every attack pattern maps directly to the OWASP Agentic Security Top 10. This isn’t a new threat category - it’s a new attack surface for known threats.
| OWASP ID | Risk Category | MCP CVE Example |
|---|---|---|
| ASI01 | Excessive Agency | CVE-2026-27825 - Unrestricted file write permissions |
| ASI02 | Misplaced Trust in LLM Outputs | Multiple - Servers executing LLM-generated commands without validation |
| ASI03 | Insecure Data Flow | CVE-2026-27826 - SSRF exposing internal network data |
| ASI04 | Inadequate Sandboxing | CVE-2026-4270 - AWS MCP file access restriction bypass |
| ASI05 | Insufficient Monitoring | Most servers lack audit logging of agent actions |
| ASI07 | Agent Authentication Failures | 38% of scanned servers have no authentication |
| ASI10 | Supply Chain Vulnerabilities | Multiple typosquatted MCP packages discovered |
Why This Is Happening
The MCP ecosystem grew fast. Really fast. Anthropic released the spec in November 2024. By March 2026, there are thousands of MCP servers in the wild.
The problem? MCP server authors are systems engineers and ML engineers, not security engineers. They’re solving integration problems, not security problems. The vulnerabilities showing up are 2010-era web security bugs in 2026 AI infrastructure.
Every major platform shift creates a security gap. Web applications in the 2000s. Mobile apps in the 2010s. Cloud infrastructure in the late 2010s. Now it’s agentic AI infrastructure in the 2020s. The attack techniques are the same - the attack surface is new.
What Needs to Change
For MCP Server Developers:
- Bind to localhost by default, not 0.0.0.0
- Require authentication for all operations
- Validate and sanitize all file paths
- Log every action for audit trails
- Implement proper sandboxing
For Organizations Deploying MCP:
- Inventory all MCP servers in your environment
- Audit network exposure and authentication
- Monitor for unusual agent behavior patterns
- Implement least-privilege permissions
- Keep servers updated - many CVEs already have patches
For the Ecosystem:
- Security reviews before publishing to registries
- Standardized security baselines for MCP servers
- Runtime monitoring and enforcement layers
- Coordinated vulnerability disclosure processes
The Reckoning
30 CVEs in 60 days isn’t a blip. It’s the beginning.
The MCP ecosystem will continue to grow. Agents will gain more capabilities. The attack surface will expand. The question isn’t whether there will be more vulnerabilities - it’s whether the ecosystem can mature its security practices faster than attackers can exploit the gaps.
The security industry spent 20 years learning how to secure web applications. We don’t have 20 years for agentic AI. The adoption curve is too steep, the capabilities are too powerful, and the stakes are too high.
The reckoning has arrived. The question is what we do about it.
Rogue Security provides runtime protection for agentic AI systems. Our embedded micro-SLMs enforce security policies in under 5ms, blocking threats before they can execute. Learn more about securing your AI agents.