GBHackers

Thousands of MCP Servers Found Vulnerable to File Access and Injection Attacks


Thousands of Model Context Protocol (MCP) servers, widely used to connect large language models (LLMs) to external systems, have been found vulnerable to critical security flaws, including arbitrary file access, command injection, server-side request forgery (SSRF), and SQL injection, raising significant concerns about AI supply chain security.

A large-scale analysis of 9,695 MCP servers across popular directories such as GitHub, Glama, Lobehub, and PulseMCP reveals that commonly trusted indicators like popularity, repository activity, and verification badges do not reliably reflect security posture, exposing organizations to systemic risks as adoption accelerates.

Thousands of MCP Servers Found Vulnerable

The research identified 5,832 servers with security issues, of which 2,259 were confirmed to contain exploitable vulnerabilities beyond simple authentication gaps.

In total, 4,982 distinct security issues were cataloged, including 880 cases of arbitrary file access, 476 command injection flaws, 422 SSRF vulnerabilities, 211 SQL injection issues, and 490 denial-of-service weaknesses.

Additional findings included cross-site scripting (155 instances), authorization bypass, and 185 prompt injection cases categorized as malicious behavior. Notably, 2,054 servers lacked authentication mechanisms, which, while not flagged independently, significantly amplify the impact of other vulnerabilities when combined.

Security issueCategoryNumber of issues
Code injectionVulnerable by design101
No authenticationVulnerable by design2,054
Command injectionVulnerability476
Arbitrary file accessVulnerability880
SSRFVulnerability422
Denial of serviceVulnerability490
Cross-site scriptingVulnerability155
SQL injectionVulnerability211
Authorization bypassVulnerability8
Prompt injectionMalicious behavior185

MCP servers serve as a critical bridge between AI agents and sensitive resources, such as file systems, databases, APIs, and cloud environments, enabling “agentic workflows” to execute code and automate tasks. However, this privileged access also expands the attack surface.

The study found that vulnerabilities frequently co-occur, with patterns such as arbitrary file access combined with missing authentication highlighting systemic failures in input validation and secure design practices rather than isolated coding errors.

The top combinations of security issues (Source: Trend AI Security)

Contrary to common assumptions, the analysis demonstrated no meaningful correlation between a server’s popularity and its security. High-popularity servers (50+ GitHub stars) often pose the greatest risk due to their widespread adoption, thereby increasing the blast radius of a single vulnerability.

These servers commonly exhibit SSRF, prompt injection, and file access flaws tied to feature-rich integrations. Mid-tier servers (10–49 stars) dominate the ecosystem in volume and show the highest diversity of vulnerabilities, while low-popularity and no-star repositories, often experimental or privately used, still contain severe issues such as command execution flaws, despite limited visibility.

Similarly, repository activity, as measured by commit history, failed to indicate improved security. Highly active projects with over 100 commits showed vulnerability rates comparable to those of less active projects, suggesting that increased development complexity introduces more attack vectors without necessarily improving defensive controls.

Even verification mechanisms implemented by MCP directories, including code inspection tools and ownership validation, did not significantly reduce risk, as verified servers had nearly the same average number of vulnerabilities as unverified ones.

The Trend AI Security study also highlights real-world risk scenarios across multiple domains. In cryptocurrency- and DeFi-focused MCP servers, researchers identified server-side template injection vulnerabilities that enable remote code execution, as well as prompt injection flaws that can manipulate AI agent behavior.

In enterprise environments, MCP servers designed for database connectivity exposed SQL injection vulnerabilities and unauthenticated Active Directory queries, potentially allowing attackers to perform reconnaissance or escalate privileges via natural-language queries processed by AI systems.

A particularly concerning finding is the emergence of “severity-weighted reach,” where highly popular servers with multiple vulnerabilities pose disproportionate systemic risk due to their widespread deployment. Servers exposing numerous MCP tools further increase the attack surface, making exploitation more scalable and impactful across organizations relying on shared AI infrastructure.

The research underscores a broader industry issue: the lack of consistent input validation and secure development practices across the MCP ecosystem. Most vulnerabilities were categorized as developer-introduced flaws rather than intentional malicious behavior. However, prompt injection remains an emerging threat vector in LLM-integrated environments.

Security experts warn that organizations must abandon trust-based assumptions when integrating third-party MCP servers and adopt a zero-trust approach.

This includes conducting code audits, enforcing authentication and least privilege, validating all inputs, and implementing real-time traffic inspection to detect anomalous behavior. As MCP continues to underpin the evolution of AI-driven automation, the findings emphasize that security must evolve alongside functionality to prevent large-scale exploitation of interconnected AI systems.

Interact with Cyber Threats in Windows, Linux, macOS VMs to Trigger Full Attack Chain - Analyse Malware & Phishing with ANY RUN



Source link