30 CVEs and Counting: The MCP Security Crisis Nobody's Talking About
Source: Dev.to
Overview
MCP – the Model Context Protocol – lets AI agents talk to external services.
Anthropic launched it, and every major AI lab has adopted it. Today there are thousands of MCP servers connecting agents to databases, APIs, financial platforms, and cloud infrastructure.
⚠️ 30 CVEs have already been reported for MCP, and the pace is accelerating.
Key Metrics
| Metric | Value |
|---|---|
| Total MCP CVEs | 30 |
| Servers with zero auth | 36 % |
| Attack‑surface layers | 3 |
| Since latest CVE | 1 day |
Recent Vulnerability – CVE‑2026‑27896
- Affected component: Official MCP Go SDK
- Root cause: The JSON parser treats field names case‑insensitively.
- Impact:
- An attacker can send a response with
"Method"instead of"method"(or"PARAMS"instead of"params"). - The SDK accepts these silently, bypassing any validation that checks for exact field names.
- Example: a firewall that only allows
"method": "tools/call"will still let"Method": "tools/call"pass.
- An attacker can send a response with
Who is affected?
Any Go‑based MCP implementation – servers or clients built with the official Go SDK.
Mitigation: Update to the patched SDK version that enforces case‑sensitive JSON parsing.
Why MCP Security Is Uniquely Dangerous
The attack surface spans three distinct layers. A flaw in any layer can compromise the entire chain.
1️⃣ MCP Servers
- Examples: QuickBooks, Stripe, database connectors, file‑system bridges.
- 36 % of scanned MCP servers accept connections without authentication.
Typical attack vectors
- Unauthenticated access
- Insufficient authorization (any client can call any tool)
- Missing input validation
- SSRF through tool parameters
- Data exfiltration via tool responses
2️⃣ Protocol‑Implementation Libraries
- Official TypeScript, Python, and Go SDKs that parse MCP messages.
- CVE‑2026‑27896 lives here, along with other parsing bugs, serialization mismatches, and type‑confusion issues.
Typical attack vectors
- Case‑insensitive parsing bypasses (CVE‑2026‑27896)
- Malformed‑message handling
- Type confusion between SDK implementations
- Deserialization of untrusted data
- Protocol‑version mismatches
3️⃣ MCP Client Runtime
- The machine running the MCP client (laptop, server, AI‑agent runtime).
- Tool calls execute with the permissions of the host process.
Typical attack vectors
- Unrestricted tool access (no allowlist)
- Write operations via prompt injection
- Sensitive‑data leakage through tool responses
- Lateral movement via chained MCP servers
- Credential theft from tool configurations
The gap: Most MCP implementations have zero controls at this layer – the agent decides what to call, and nothing validates whether it should.
CVE Timeline
| Period | CVEs | Notable Highlights |
|---|---|---|
| 2025 Q1‑Q2 | ~5 | Initial discovery – auth, SSRF basics |
| 2025 Q3‑Q4 | ~10 | SDK‑level bugs emerge, cross‑implementation issues |
| 2026 Q1 (so far) | ~15 | Acceleration – CVE‑2026‑27896 (Go SDK bypass), server auth failures |
| Total | 30 | Spanning all 3 layers |
Half of all MCP CVEs have been published in the last three months.
Real‑World Impact
- > 33 % of MCP servers in the wild accept any connection without verifying the client’s identity.
- Consequences:
- Any AI agent that discovers the endpoint can connect.
- All tool calls (including destructive write operations) are accepted.
- No audit trail of who called what.
- Prompt‑injection in one agent can pivot to unauthenticated MCP servers.
For financial MCP servers (QuickBooks, Stripe, Xero) this is catastrophic – a compromised agent can directly invoke financial operations on unauthenticated servers.
Defensive Solution – ClawMoat McpFirewall
McpFirewall sits at Layer 3 (between the AI agent and MCP servers). It intercepts every tool call before it reaches the server, enforcing security policies that MCP itself does not provide.
What it does
- Blocks write operations by matching against 29 patterns (e.g.,
create_,add_,update_,delete_,transfer_,pay_, etc.). - Redacts sensitive fields (SSNs, bank‑account numbers, API keys) from MCP responses even in read‑only mode.
Example (Node.js)
const { McpFirewall } = require('clawmoat/finance/mcp-firewall');
const firewall = new McpFirewall({
mode: 'read-only',
onBlock: (event) => {
console.log(
`Blocked ${event.tool} on ${event.server}: ${event.reason}`
);
}
});
// Agent tries to create an invoice via MCP
const result = firewall.intercept({
tool: 'create_invoice',
args: { amount: 50000, customer: 'Acme Corp' },
server: 'quickbooks-mcp'
});
// result.blocked === true
// result.reason === "Write operation 'create_invoice' blocked in read-only mode"Write‑pattern list (29 entries)
create_, add_, update_, edit_, modify_, delete_, remove_,
send_, post_, submit_, approve_, void_, cancel_, refund_,
transfer_, pay_, charge_, issue_, record_, close_, batch_,
import_, set_, assign_, link_, unlink_, archive_, restore_, merge_Firewall Configuration Overview
const firewall = new McpFirewall({
mode: 'read-only',
redactFields: ['ssn', 'tax_id', 'bank_account', 'routing_number'],
redactResponses: true
});Example – MCP response before and after redaction
| Before | After |
|---|---|
{ customer: "Jane", ssn: "123-45-6789", balance: 5000 } | { customer: "Jane", ssn: "***-**-****", balance: 5000 } |
Tool‑Allowlist
Don’t let the agent decide which tools are safe. Define an explicit allowlist:
const firewall = new McpFirewall({
mode: 'read-only',
allowedTools: ['get_invoices', 'get_profit_loss', 'get_balance_sheet'],
blockedTools: ['delete_company', 'export_all_data']
});Rate Limiting
Prevent data exfiltration through rapid‑fire tool calls:
const firewall = new McpFirewall({
mode: 'read-only',
rateLimit: 10, // max 10 calls per tool per minute
allowedTools: ['get_transactions']
});Recognised Financial MCP Servers
McpFirewall ships with pattern recognition for 15 popular financial MCP servers:
- QuickBooks
- Xero
- FreshBooks
- Stripe
- Plaid
- Square
- PayPal
- Braintree
- Coinbase
- Mercury
- Wise
- Wave
- Gusto
- Rippling
- Bill.com
Attack Scenario (Go SDK Bypass)
-
Attacker payload – mixed‑case field names:
{"Method": "tools/call", "Params": {"name": "transfer_funds"}} -
Why it passes – validation checks for
"method"(lowercase) only, so the check fails. -
Go SDK behavior –
encoding/jsonis case‑insensitive, so the SDK still parses the request. -
Result – the tool call executes with whatever permissions the MCP server grants.
-
Mitigation – McpFirewall works after SDK parsing; it inspects the resolved tool name and arguments, blocking unauthorized calls regardless of how the message was parsed.
Immediate Actions
- Audit MCP servers – ensure they require authentication.
- Update SDKs – especially the Go SDK (see CVE‑2026‑27896).
- Add a firewall layer – never let agents call MCP tools unchecked.
- Inventory MCP connections – know which servers your agents can reach.
- Run a security scan – use ClawMoat’s free scanner for a quick assessment.
Why Security Matters
MCP is to AI agents what HTTP was to web browsers: a universal protocol for connecting to services.
However, the security model was an afterthought:
- Authentication – optional.
- Authorization – “left to the implementation.”
- Encryption – not required.
- Tool‑level access control – no standard.
30 CVEs in ~15 months isn’t just a number; it’s a pattern. The protocol was designed for functionality, not security.
McpFirewall Features
- 29 write patterns detection
- Field‑level redaction
- Tool allowlisting
- Rate limiting
- Zero dependencies
- 277 automated tests
It protects the host layer and complements server‑ and SDK‑level controls.
Get Started
npm install clawmoat- ⭐ Star on GitHub
- 🔍 Free Security Scanner
McpFirewall is open‑source (MIT license) and lives at clawmoat/finance/mcp-firewall.
The clock is ticking. Strengthen your MCP ecosystem now.