Your MCP Server Might Be a Security Liability: What Business Owners Need to Know

30 CVEs in six weeks. Anthropic's own code was vulnerable. 37% of MCP servers have no authentication. Every article about this is written for security engineers — this one is for founders.

30 CVEs in six weeks. Anthropic's own MCP server was vulnerable. 37% of MCP servers have no authentication. Here is what business owners need to know about MCP security in 2026.

On January 20, 2026, security researchers disclosed three vulnerabilities in Anthropic's own official Git MCP server — the reference implementation that thousands of developers have copied into their own projects. These were not obscure edge cases. They enabled remote code execution, arbitrary file access, and path traversal. The company that created MCP had shipped insecure code in the example that everyone was following.

Six weeks later, the count has reached 30 documented CVEs across the MCP ecosystem. 37% of network-exposed MCP servers have no authentication at all. Security scanners built to find MCP vulnerabilities have been found to contain their own vulnerabilities.

Every article about this is written for CISOs and security engineers. This one is for service business founders who are building products with MCP integrations — or whose developers are connecting AI tools to business data without understanding the risks.

What MCP servers actually do (and why security matters)

If you have been following the MCP conversation, you know that Model Context Protocol servers are the connective tissue between AI models and your business data. They let AI agents read your databases, access your files, call your APIs, and take actions on your behalf.

That is enormously powerful. It is also enormously dangerous if the connections are not secured properly. Every MCP server is essentially a door between an AI model and your systems. If that door has no lock, anyone who can reach it can walk through.

The problem in early 2026 is that most of those doors have no locks.

The vulnerability landscape: what has gone wrong

Anthropic's own code was vulnerable

The three CVEs in Anthropic's official Git MCP server are the most important to understand, because they reveal a systemic problem rather than isolated mistakes.

CVE-2025-68143 allowed the git_init tool to create repositories at arbitrary filesystem paths — meaning an attacker could turn any directory on your server into a Git repository. CVE-2025-68145 was a path validation bypass where the settings meant to restrict access to a specific repository simply did not work. CVE-2025-68144 turned git_diff — a supposedly read-only command — into a weapon that could empty or overwrite files.

These are not exotic attack techniques. Path traversal and command injection have been in the OWASP Top 10 for years. The significance is that Anthropic's reference implementation — the code developers copy when building their own MCP servers — contained these basic security flaws. As one researcher noted, developers who copied the "official" code were copying the vulnerability.

30 CVEs in six weeks

By late February 2026, security researchers have documented 30 CVEs across the MCP ecosystem. The breakdown reveals three distinct attack layers.

Shell injection accounts for 43% of CVEs — the most common pattern. MCP server code takes user input and passes it directly to shell commands without sanitising it. An attacker sends a specially crafted request and the server executes arbitrary commands. The fix is nearly identical across all cases — use safe execution methods instead of raw shell commands — but developers keep making the same mistake.

Tooling and infrastructure attacks make up 20% of CVEs. The development tools built to inspect and test MCP servers are themselves vulnerable. One security scanner designed to audit MCP servers contained a command injection in its own code. The tool that finds vulnerabilities was itself a vulnerability.

Authentication bypass accounts for 13% of CVEs — critical endpoints with no authentication at all. Among the 554 network-exposed MCP servers analysed by one research team, 37% — 203 servers — have no authentication. Any client can call any tool without credentials.

The Microsoft problem

It is not just Anthropic. Security researchers disclosed a severe server-side request forgery vulnerability in Microsoft's MarkItDown MCP server. When they analysed more than 7,000 MCP servers, they estimated the same type of exposure might be present in around 36.7% of all MCP servers on the web.

Why MCP servers are uniquely risky

MCP security is not just another software security problem. Three characteristics make it structurally different from traditional web application security.

Most MCP servers are built by domain experts, not security experts. The people building them are typically specialists — data visualisation engineers, OSINT researchers, mobile developers — who know their field deeply and security minimally. There is no shared security library that enforces safe execution. There is no registry review that catches vulnerabilities before publication. The result is that the same basic mistakes appear in server after server.

AI agents are assumed to be trusted callers. Traditional web applications assume that incoming requests might be malicious. MCP servers often assume the opposite — that the AI agent calling them is trustworthy. This assumption is fundamentally wrong. Prompt injection means an attacker can manipulate what an AI agent sends to an MCP server without ever touching the server directly. An attacker embeds malicious instructions in a document, the AI reads the document, and the AI unknowingly sends the attack to the MCP server.

The ecosystem is growing faster than security practices. There are now over 10,000 active MCP servers with 97 million monthly SDK downloads. Most MCP servers are side projects or early-stage integrations maintained by individual developers who do not monitor their repositories for security reports. When researchers disclose vulnerabilities, response rates are low.

The 10-point MCP security audit for business owners

You do not need to be a security engineer to assess whether your MCP integrations are putting your business at risk. Here is a practical checklist.

1. Inventory your MCP connections. List every MCP server your AI tools connect to. If you cannot list them, that is the first problem.

2. Check authentication on every server. Can anyone call your MCP server without credentials? If yes, fix this immediately. No authentication means any client on the network can access your tools.

3. Verify what data each server can access. Does your Git MCP server have access to all repositories or just the ones it needs? Does your database MCP server have read-only access or write access? Apply the principle of least privilege.

4. Check for official versus community servers. Are you using MCP servers maintained by the tool vendor (Anthropic, Microsoft) or community-built alternatives? Even official servers have had vulnerabilities, but they are more likely to be patched.

5. Review update frequency. When was the last time each MCP server was updated? Servers that have not been updated since the January 2026 CVE disclosures are likely still vulnerable.

6. Test path restrictions. If your MCP server is configured to access only specific directories, verify that the restriction actually works. The Anthropic CVEs showed that path validation settings did not do what administrators expected.

7. Check for shell execution patterns. Ask your developer whether any MCP server code passes user input to exec(), eval(), or similar functions. If the answer is yes or "I'm not sure," that is a red flag.

8. Assess prompt injection exposure. Consider what happens if an AI agent processes a malicious document and sends crafted requests to your MCP server. Is the server resilient to unexpected input?

9. Review logging and monitoring. Are MCP server requests logged? Can you see who called what tool with what parameters? Without logging, you cannot detect or investigate security incidents.

10. Plan for server compromise. If one MCP server is compromised, what is the blast radius? Can it reach other systems, databases, or credentials? Isolate MCP servers from your most sensitive infrastructure.

What this means for your product build

If you are building a product that includes MCP integrations — connecting AI to your client data, your business processes, or your internal tools — security cannot be an afterthought.

The current state of MCP security is comparable to the early days of web application security, when SQL injection was everywhere because developers had not yet learned to treat user input as potentially hostile. The MCP ecosystem is learning the same lesson, but the stakes are higher because MCP servers often have broader access to systems and data than traditional web endpoints.

For service business founders building their first product, my practical recommendations are straightforward.

Use established, well-maintained MCP servers from vendors who have security teams and patch vulnerabilities quickly. Anthropic fixed their CVEs. Community servers with unresponsive maintainers are the higher risk.

Treat MCP security as a production requirement, not a nice-to-have. Include it in your product specification from day one, not as a bolt-on after launch.

Require authentication on every MCP endpoint. There is no legitimate reason for a production MCP server to accept unauthenticated requests.

Sandbox your MCP servers. Run them in isolated environments with minimal permissions. If a server is compromised, the attacker should not be able to reach your database, payment system, or customer data.

Review your MCP security quarterly. The vulnerability landscape is evolving monthly. What was secure in January may not be secure in April.

The MCP ecosystem will mature. Security tooling will improve. Best practices will solidify. But right now, in February 2026, the gap between MCP adoption and MCP security is wide — and founders building products need to be on the right side of it.

Frequently asked questions

Are MCP servers safe to use in 2026?

MCP servers are safe to use when properly secured, but the default state of many MCP servers is insecure. 37% of network-exposed servers have no authentication, and 30 CVEs have been documented in the first two months of 2026. The protocol itself is sound — the implementation quality varies dramatically. Use well-maintained servers, require authentication, and follow the security audit checklist above.

What were the Anthropic MCP vulnerabilities?

Three CVEs were disclosed on January 20, 2026 in Anthropic's official Git MCP server: CVE-2025-68143 (arbitrary repository creation), CVE-2025-68145 (path validation bypass), and CVE-2025-68144 (argument injection enabling file overwrite). All have been patched. The significance is that the reference implementation — code meant to show developers how to build MCP servers correctly — contained basic security flaws.

Can hackers attack my business through MCP servers?

Yes. MCP servers create direct connections between AI models and your business systems. If an MCP server has no authentication, an attacker can call its tools directly. Even with authentication, prompt injection attacks can manipulate AI agents into sending malicious requests to MCP servers. The attack surface is real and actively being exploited by security researchers.

How do I secure MCP servers for my product?

Start with authentication on every endpoint, least-privilege access for every connection, input validation on every parameter, and isolation from critical systems. Use MCP servers from vendors with security teams. Log all requests. Review security quarterly as the vulnerability landscape evolves. Include MCP security requirements in your product specification from day one.