State of MCP Security 2026

March 2026 · AgentGrade Research · 25,745 servers indexed

The largest independent security analysis of the Model Context Protocol ecosystem.

AgentGrade has indexed 25,745 MCP servers sourced from Smithery, the MCP Registry, npm, and direct crawls. We ran automated security checks against every reachable endpoint and assigned an A–F grade based on authentication, header configuration, CORS policy, admin exposure, and transport security.

The results are sobering. The vast majority of the ecosystem is either unreachable or insecure—often both.

By the Numbers

25,745 MCP servers indexed

83% unreachable or offline

89.9% require no authentication

~60% expose admin endpoints

57 achieve Grade A

10.1% require auth (of reachable)

Grade Distribution

Of the approximately 4,400 reachable servers we could scan, grades break down as follows. Only 57 servers—1.3% of graded endpoints—earned an A.

57 (1.3%)

387 (8.9%)

653 (15.0%)

1,856 (42.7%)

1,397 (32.1%)

D is the dominant grade, held by nearly half of all graded servers. F follows at 32%. Fewer than one in ten servers earned a B or better.

What We Found

Authentication: 89.9% Open to Anyone

        Only 10.1% of reachable MCP servers require any form of authentication.
        The remaining 89.9% accept connections from any client on the public internet.
    

The MCP specification introduced an OAuth 2.1-based authorization framework in March 2025, but adoption has been slow. Most servers in this dataset were either built before that addition or assembled from tutorials and SDKs that omit authentication entirely.

For servers that expose file system access, database queries, or API integrations, the absence of authentication means any caller can invoke those tools without restriction. There is no access control, no audit trail, and no revocation mechanism.

Availability: 83% Offline or Unreachable

83% of the 25,745 indexed servers returned no response during our scan window. This is consistent with the lifecycle of the MCP ecosystem: many servers were published as demos, tutorial artifacts, or one-off integrations that are no longer actively deployed.

The 17% that are reachable represent the actively-deployed production tail—and those are the servers that carry real risk. They are connected to live AI clients and exposed on the public internet.

Admin Endpoint Exposure: ~60% Flagged

        Approximately 60% of servers expose administrative endpoints to the public internet.
    

Administrative endpoints include configuration APIs, management panels, debug interfaces, and internal health routes never intended for external access. Exposure does not guarantee exploitation—many require credentials—but it dramatically expands attack surface. An attacker who can reach an admin interface has already bypassed the first layer of network-level defense.

The scale here is notable. In our earlier dataset of 1,192 servers, 17.2% had admin exposure. The jump to ~60% across 25,745 indexed servers suggests that the smaller initial dataset was biased toward more carefully-deployed servers from established registry listings. The long tail of the ecosystem is less hardened.

Security Headers: Widely Missing

HTTP security headers are a low-effort, high-impact hardening layer. For MCP servers that also serve web interfaces or are reachable via browser-based clients, header misconfiguration enables clickjacking, MIME sniffing attacks, and cross-origin data theft.

Header	Purpose	Typical miss rate
`Content-Security-Policy`	Blocks injected scripts and unauthorized resource loads	>85%
`X-Frame-Options`	Prevents UI redress / clickjacking attacks	>80%
`X-Content-Type-Options`	Blocks MIME-type sniffing	>75%
`Strict-Transport-Security`	Forces HTTPS for all future connections	>70%

HTTPS: The One Bright Spot

Nearly all reachable servers use HTTPS. Transport-level encryption is now a de-facto requirement enforced by hosting platforms and certificate authorities. This is the floor, not the ceiling—but it is worth noting that the ecosystem has largely cleared it.

Remediation: What to Fix First

The following table maps each check to its fix, ordered by impact and implementation effort.

Check	Fix	Effort
No authentication	Implement OAuth 2.1 per the MCP spec, or API key validation at minimum. Reject unauthenticated connections at the transport layer.	Medium
Admin endpoints exposed	Move admin routes behind a separate internal port or VPN. If that is not feasible, add IP allowlisting and mandatory authentication before any admin path.	Low–Medium
Missing CSP	Add `Content-Security-Policy: default-src 'self'` as a starting point. Tighten as needed. Most frameworks set this in one middleware line.	Low
Missing X-Frame-Options	Add `X-Frame-Options: DENY` unless your server intentionally embeds in iframes. Takes under five minutes.	Low
Missing HSTS	Add `Strict-Transport-Security: max-age=31536000; includeSubDomains` once you are fully on HTTPS.	Low
CORS wildcard	Replace `Access-Control-Allow-Origin: *` with an explicit allowlist of trusted origins. Wildcards let any website make authenticated cross-origin requests.	Low
Credential leakage	Audit response bodies for API keys, tokens, or secrets. Rotate any that may have been exposed. Implement response filtering to strip sensitive fields.	Medium

What This Means for AI Clients

Every MCP server you connect to Claude, Cursor, Windsurf, or any other AI client becomes part of your security perimeter. The client executes tool calls on your behalf. If the server has no authentication, the tools it exposes are reachable by anyone who knows the URL—and URLs are often predictable, guessable, or indexed.

If you build MCP servers: Authentication is not optional for anything exposed beyond localhost. Use the MCP spec's OAuth 2.1 framework or, at minimum, a pre-shared API key validated on every request. Add security headers—they take minutes and eliminate entire vulnerability classes.

If you connect MCP servers to AI clients: Check the grade of every server before connecting it. A server with Grade D or F is running tools with no access control. Treat it the way you would treat giving an untrusted third party shell access to your environment.

If you run an MCP registry: Security grades at listing time would dramatically improve ecosystem-wide hygiene. A server that fails authentication checks should surface that fact before an AI client connects to it.

Methodology

AgentGrade crawls Smithery, the MCP Registry, npm (mcp-server-* packages), and community-curated lists. Each reachable endpoint is scanned for: authentication requirement, security header presence, CORS configuration, TLS status, admin endpoint exposure, open redirect vectors, directory listing, and error information leakage. Grades are computed from a weighted score across all checks. Scans run continuously; grades reflect the most recent scan for each server.

Full methodology at agentgrade.net/watch/methodology. Data sourced from live scans as of March 2026. The 25,745 server count represents all indexed entries; the reachable subset (~4,400) represents servers that returned a response during our scan window.

Check any MCP server's grade

Search 25,745 indexed servers. Free, no account required.

Explore the directory →