MCP (Model Context Protocol) is everywhere. Cursor, Claude Desktop, Windsurf, GitHub Copilot — they all use MCP servers to give AI agents access to tools.
But nobody is scanning these servers for vulnerabilities.
I pointed my scanner at 15 public MCP servers. Every single one failed at least 6 out of 10 OWASP checks. Most failed all 10.
What’s exposed
MCP servers expose tools — functions that AI agents can call. Think run_command, query_database, read_file, fetch_url. Most servers have:
- No authentication — any caller can invoke any tool
- No input validation — command injection, SQL injection, path traversal all work
- No message signing — requests can be replayed or tampered
- No rate limiting — flood the server, nobody notices
-
Dangerous tools exposed —
exec,shell,admin_panelsitting in the open
This isn’t theoretical. The OWASP MCP Security Cheat Sheet documents these risks. There’s an IETF draft proposing per-message signing to address them.
The OWASP MCP Top 10
I mapped the most common MCP vulnerabilities to the OWASP Top 10 2025:
| # | Check | What it tests |
|---|---|---|
| 1 | Authentication Bypass | Can anyone call tools without credentials? |
| 2 | Unsigned Messages | Are requests signed? Can they be tampered? |
| 3 | Replay Attack | Does the server accept duplicate requests? |
| 4 | Command Injection | Can you escape tool arguments into shell? |
| 5 | SSRF | Can you hit cloud metadata (169.254.169.254) via tools? |
| 6 | Path Traversal | Can you read /etc/passwd through file tools? |
| 7 | Sensitive Tools Exposed | Are dangerous tools (exec, sql, admin) available? |
| 8 | Tool Definition Tampering | Do tool definitions change between calls (rug pull)? |
| 9 | Tool Poisoning | Are there prompt injection patterns in tool descriptions? |
| 10 | Rate Limiting | Does the server throttle rapid requests? |
Try it yourself
Cybersecify is a security scanner that runs these checks. Install it as an MCP server in Cursor or Claude Desktop:
{
"mcpServers": {
"security": {
"command": "npx",
"args": ["cybersecify"]
}
}
}
Then ask your AI:
- “Scan the MCP server at dvmcp.co.uk for vulnerabilities”
- “Is it safe to pip install litellm?”
- “Check if langchain-ai/langchain repo is safe”
Or scan our deliberately vulnerable MCP server at dvmcp.co.uk — it fails 10/10 checks on purpose. It’s a training lab.
What a scan looks like
Results: 0 passed, 10 failed (3 critical, 4 high)
[FAIL] MCP-01 Authentication Bypass (HIGH)
No authentication required. Any caller can invoke tools.
[FAIL] MCP-04 Command Injection (CRITICAL)
Shell command executed via tool arguments.
[FAIL] MCP-05 SSRF (HIGH)
Internal/metadata URL accessible via MCP.
[FAIL] MCP-09 Tool Poisoning (HIGH)
Prompt injection patterns in tool descriptions.
...
Community vs Pro
The Community Edition is free — 9 tools, OWASP MCP Top 10 scan, supply chain checks, threat intelligence.
Pro adds deeper scanning:
- OWASP Top 10 2025 active rules (6 checks with multiple test vectors)
- OWASP Top 10 2025 passive rules (4 checks)
- CIS MCP Benchmark (22 controls)
- EU AI Act compliance scan
- DAST mode with SARIF output for CI/CD
- Multi-target scanning and PDF/JSON/JUnit reports
More at cybersecify.co.uk.
The gap is real
97 million MCP SDK downloads. 13,000+ MCP servers. Zero security standard. The tools are being installed faster than anyone can audit them.
If you’re running MCP servers in production — or even in development — scan them. You’ll be surprised what’s exposed.
Raza Sharif, CyberSecAI Ltd