30 CVEs in 60 Days: The MCP Attack Surface Is Exploding
The Model Context Protocol went from zero to 30 CVEs in two months. 38% of MCP servers have no authentication. Here is the data.
From Zero to 30 CVEs in 60 Days
The Model Context Protocol is the fastest-growing attack surface in AI. In the 60 days between February and April 2026, 30 CVEs were filed against MCP servers and tools. That is one new vulnerability every two days.
For comparison, Docker had 7 CVEs in its first two years. Kubernetes had 12 in its first year. MCP had 30 in two months.
The Numbers
| Metric | Value |
|---|
|--------|-------|
| CVEs filed (60 days) | 30 |
|---|
| MCP servers with zero authentication | 38% |
|---|
| Total MCP skills in registries | 53,577+ |
|---|
| Skills with security findings | 946 (1.77%) |
|---|
| Critical findings | 875 |
|---|
Why MCP Is Different
Traditional APIs have a clear trust boundary. You call an API, it returns data. The API cannot read your files, execute commands on your machine, or access your credentials.
MCP tools have no such boundary. When an AI agent calls an MCP skill, that skill runs with the agent's full permissions. File system access. Shell execution. Network requests. Credential stores. Everything.
This is not a theoretical concern. Real attacks have been documented:
- •**postmark-mcp** stole email inboxes by disguising itself as an email management tool
- •**SANDWORM_MODE** exfiltrated SSH keys from 19 typosquatted packages
- •Tool description poisoning has been found in 674 skills across the OpenClaw registry
The Authentication Gap
38% of MCP servers have zero authentication. No API keys. No OAuth. No verification of any kind. An attacker can set up a malicious MCP server, register it in a public registry, and wait for AI agents to connect.
The MCP specification itself does not mandate authentication. It is optional. Most implementations skip it.
What ATR Detects
ATR currently covers the following MCP attack vectors with 108 detection rules:
- •**Prompt injection** (33 rules) — Hijacking agent behavior through crafted inputs
- •**Skill compromise** (22 rules) — Malicious or vulnerable MCP skills and SKILL.md
- •**Context exfiltration** (14 rules) — Stealing conversation context and sensitive data
- •**Tool poisoning** (22 rules) — Poisoned tool descriptions and malicious responses
- •**Privilege escalation** (8 rules) — Unauthorized elevation of agent capabilities
- •**Agent manipulation** (5 rules) — Social engineering of AI agents
- •**Excessive autonomy** (2 rules) — Agents exceeding operational boundaries
- •**Model security** (1 rule) — Direct attacks on language models
- •**Data poisoning** (1 rule) — Corrupting training data or knowledge sources
Coverage against major frameworks:
- •OWASP Agentic Top 10: **10/10**
- •SAFE-MCP (OpenSSF): **78/85 techniques (91.8%)**
- •OWASP Skills Top 10: **7/10** (3 are process-level, not detectable by regex)
The Speed Problem
Committee-based security standards take 12-18 months to publish. SAFE-MCP is funded but not yet released. OWASP frameworks are being updated on quarterly cycles.
New MCP CVEs appear every 2 days.
ATR closes this gap with community-driven rules and automated threat crystallization. When a new attack pattern is discovered, the Threat Cloud analyzes it, generates a detection rule, and community review merges it. Average time from discovery to protection: under 1 hour.
What This Means for Your Organization
If you are using AI agents with MCP tools in any capacity -- development, customer service, data analysis, automation -- you have exposure to this attack surface.
Three things to do today:
1. **Inventory your MCP skills.** Know what your agents have access to.
2. **Scan with ATR.** `npx agent-threat-rules scan` takes seconds.
3. **Monitor the CVE feed.** New vulnerabilities are appearing biweekly.
The MCP attack surface is growing faster than any protocol in recent memory. The 30 CVEs in 60 days are just the beginning.
---
*ATR provides open-source detection rules for these threats: [agentthreatrule.org](https://agentthreatrule.org)*