The Model Context Protocol (MCP) continues to face mounting security concerns that show no signs of fading. When vulnerabilities were first highlighted last October, early research already pointed to serious risks. Findings from Pynt indicated that installing just 10 MCP plug-ins results in a 92% likelihood of exploitation, with even a single plug-in introducing measurable exposure.
The emergence of Clawdbot significantly altered the threat landscape. The fast-growing personal AI assistant — capable of managing inboxes and generating code autonomously — operates entirely on MCP. Developers who deployed Clawdbot on virtual private servers without reviewing security documentation may have unintentionally exposed their organizations to the protocol’s full attack surface.
(The project rebranded from Clawdbot to Moltbot on January 27 after Anthropic issued a trademark request over the similarity to "Claude.")
Security entrepreneur Itamar Golan anticipated this trajectory. After selling Prompt Security to SentinelOne for an estimated $250 million last year, he issued a public warning on X this week: "Disaster is coming. Thousands of Clawdbots are live right now on VPSs … with open ports to the internet … and zero authentication. This is going to get ugly."
Subsequent internet scans by Knostic reinforced those concerns. Researchers identified 1,862 MCP servers publicly accessible without authentication. Out of 119 servers tested, every single one responded without requesting credentials.
The implication is straightforward: any function automated by Clawdbot can potentially be repurposed by attackers.
Recent vulnerabilities are not isolated anomalies — they stem from fundamental design choices within MCP. Three major CVEs illustrate this pattern:
- CVE-2025-49596 (CVSS 9.4): Anthropic’s MCP Inspector enabled unauthenticated communication between its web interface and proxy server, making full system compromise possible through a malicious webpage.
- CVE-2025-6514 (CVSS 9.6): A command injection flaw in mcp-remote — an OAuth proxy downloaded 437,000 times — allowed system takeover when connected to a malicious MCP server.
- CVE-2025-52882 (CVSS 8.8): Widely used Claude Code extensions exposed unauthenticated WebSocket servers, permitting arbitrary file access and remote code execution.
Three high-severity vulnerabilities within six months, each exploiting different attack vectors, all trace back to the same core issue: authentication in MCP was optional, and many developers treated optional controls as unnecessary.
Further analysis by Equixly found systemic weaknesses across popular MCP implementations. Their review revealed that 43% contained command injection flaws, 30% allowed unrestricted URL fetching, and 22% exposed files beyond intended directories.
Forrester analyst Jeff Pollard summarized the concern in a blog post: "From a security perspective, it looks like a very effective way to drop a new and very powerful actor into your environment with zero guardrails."
The risk is substantial. An MCP server with shell access can enable lateral movement, credential harvesting, and ransomware deployment — all triggered through prompt injection hidden within documents processed by AI agents.
Known Flaws, Slow Mitigation
Security researcher Johann Rehberger disclosed a file exfiltration vulnerability last October, demonstrating how prompt injection could manipulate AI agents into transmitting sensitive files to attacker-controlled accounts.
Anthropic’s launch of Cowork this month extended MCP-based agents to a broader and potentially less security-aware audience. The same vulnerability remains exploitable. PromptArmor recently demonstrated how a malicious document could trick an agent into uploading confidential financial information.
Anthropic’s mitigation guidance states that users should watch for "suspicious actions that may indicate prompt injection."
Investor Olivia Moore of a16z highlighted the broader disconnect after testing Clawdbot over a weekend: "You're giving an AI agent access to your accounts. It can read your messages, send texts on your behalf, access your files, and execute code on your machine. You need to actually understand what you're authorizing."
The challenge is that many users — and many developers — do not fully grasp the scope of access they grant. MCP’s architecture never required them to.
Five Immediate Steps for Security Leaders
Security experts recommend urgent action:
- Audit MCP deployments immediately. Standard endpoint detection tools often overlook MCP servers because they appear as legitimate Node or Python processes. Specialized visibility is required.
- Make authentication mandatory. While the MCP specification recommends OAuth 2.1, its SDK does not enforce built-in authentication. All production deployments should require authentication by default.
- Limit network exposure. MCP servers should bind to localhost unless remote access is strictly necessary and secured. The large number of exposed servers suggests misconfiguration is widespread.
- Design for inevitable prompt injection. Assume agents will be compromised. Implement access controls accordingly, especially if servers wrap cloud credentials, filesystems, or deployment pipelines.
- Enforce human approval for sensitive actions. Require explicit confirmation before agents send external communications, delete data, or access confidential resources. AI agents should be treated like fast but literal junior employees who will execute instructions exactly as given.
While security vendors quickly capitalized on MCP-related risks, many enterprises lagged behind. Clawdbot adoption surged in Q4 2025, yet most 2026 security roadmaps lack dedicated AI agent controls.
The divide between developer enthusiasm and organizational governance continues to grow. As Golan warned, "This is going to get ugly."
The pressing question is whether organizations will secure their MCP infrastructure before attackers exploit the opportunity.