Trend Micro Finds 4,982 Security Issues Across Public MCP Servers
Trend Micro researchers have found 4,982 security issues across 2,259 affected public Model Context Protocol servers, raising new concerns about how quickly AI agent infrastructure is being adopted without matching security controls.
The findings come from a large review of 9,695 MCP servers collected from public directories, including GitHub, Glama, Lobehub, and PulseMCP. In its TrendAI security research, Trend Micro said popularity, development activity, and verification badges do not reliably show whether an MCP server is safe.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The risk matters because MCP servers often connect AI agents to files, databases, terminals, cloud systems, office tools, and business applications. A weak MCP server can turn an AI assistant from a helpful interface into a path for data exposure, command execution, or unauthorized actions.
What Trend Micro found in public MCP servers
The Model Context Protocol is designed to give AI applications a standard way to connect with external tools and data sources. The official MCP introduction describes it as a system that helps agents access data sources, tools, and apps so they can take useful actions for users.
That same flexibility creates a large attack surface. MCP servers can expose tool functions to an AI agent, and the MCP specification defines the protocol requirements for how clients and servers exchange messages.
Trend Microโs latest analysis grouped the discovered problems into three broad classes: exploitable vulnerabilities, design-level weaknesses, and malicious behavior such as prompt injection. Missing authentication appeared most often, but serious flaws such as arbitrary file access, command injection, SSRF, and SQL injection were also common.
| Security issue | Number of issues found | Risk category |
|---|---|---|
| No authentication | 2,054 | Vulnerable by design |
| Arbitrary file access | 880 | Vulnerability |
| Denial of service | 490 | Vulnerability |
| Command injection | 476 | Vulnerability |
| Server-side request forgery | 422 | Vulnerability |
| SQL injection | 211 | Vulnerability |
| Prompt injection | 185 | Malicious behavior |
| Cross-site scripting | 155 | Vulnerability |
| Code injection | 101 | Vulnerable by design |
| Authorization bypass | 8 | Vulnerability |
Popular MCP servers were not automatically safer
One of the most important findings is that GitHub stars did not provide a reliable safety signal. High-star MCP servers may have a larger blast radius because more users may install them, while low-star servers can still carry severe flaws because they may receive less scrutiny.
Verification status did not solve the problem either. Trend Micro found that verified servers averaged nearly as many security issues as unverified servers. Higher commit counts also did not strongly reduce risk, since active projects may add more features and more code paths without adding enough security review.
The TrendAI security research said the issue pattern points to broader gaps in input validation and basic security practices, not only isolated mistakes by a few developers.
- Popularity does not prove that an MCP server has been audited.
- Verification badges do not guarantee strong authentication or safe input handling.
- Active development can increase code surface if security review does not keep pace.
- Small experimental servers can still expose powerful tools to AI agents.
- Third-party MCP servers should be treated as unvetted software before deployment.
Why MCP flaws can become AI agent security risks
MCP servers are often privileged by nature. They may read files, query databases, call APIs, run scripts, or connect to internal services. When an AI agent can reach those tools, a flaw in the server can affect more than a single app.
The MCP specification gives developers a standard interface for this tool access, which helps adoption. But standardization does not remove the need for authentication, authorization, sandboxing, input validation, and runtime monitoring.
Trend Microโs earlier vulnerability sweep of 19,000 MCP servers also found exploitable issues across public repositories. That earlier work estimated that hundreds to more than a thousand open-source MCP repositories could contain exploitable vulnerabilities.
Crypto, office, and enterprise tools showed serious exposure
The researchers found risk across several MCP use cases. Crypto and DeFi-focused servers stood out because they may connect AI agents to wallets, trading workflows, blockchain analytics, and token operations.
In one anonymized case, a developer with more than 40 crypto-related MCP servers had 101 issues across 13 affected repositories. Trend Micro described flaws such as server-side template injection and prompt injection, which could become dangerous when an AI agent has access to financial actions.

Office automation and enterprise middleware also showed problems. Some office-focused servers used unsafe code execution patterns, while JDBC and ODBC middleware servers had SQL injection and unauthenticated Active Directory access risks.
| Use case | Example risk | Possible impact |
|---|---|---|
| Crypto and DeFi tools | Prompt injection and server-side template injection | Unauthorized transactions, wallet exposure, or tool abuse |
| Office automation | Unsafe eval-style code execution and path traversal | Arbitrary code execution or file exposure |
| Enterprise database connectors | SQL injection | Data theft, data manipulation, or database reconnaissance |
| Identity and directory tools | Unauthenticated Active Directory queries | Internal reconnaissance and privilege-escalation support |
Security issues often appeared together
The report also found that MCP security issues frequently appeared in clusters. Arbitrary file access combined with missing authentication was one of the most important patterns.
This matters because attackers often chain weaknesses. A server with no authentication may expose tools to anyone who can reach it. If the same server also allows arbitrary file access or command injection, the impact can move from misconfiguration to active compromise.
For AI agents, prompt injection adds another layer of risk. A malicious prompt may not need to exploit a traditional software bug if it can influence the agent into calling a sensitive MCP tool with unsafe input.
How organizations should secure MCP deployments
Security teams should not deploy public MCP servers based only on GitHub stars, directory listings, or a verification label. The safer approach is to treat every third-party MCP server like code that will run near sensitive systems.
The official MCP introduction highlights the value of giving agents access to tools and data. Enterprises should keep that value, but they need stronger controls around which tools agents can use, what data those tools can reach, and what actions they can perform.
The earlier Trend Micro MCP server sweep also warned against fully delegating complex security work to automated systems without expert validation. That same principle applies to MCP adoption: automation can help, but humans still need to review high-risk integrations.
- Review third-party MCP server code before use.
- Require authentication for every MCP server that handles sensitive actions or data.
- Apply least-privilege access to files, APIs, databases, and cloud services.
- Validate all tool inputs before passing them to operating system commands, database queries, or file paths.
- Run MCP servers in isolated environments with network and file system restrictions.
- Inspect agent-to-server traffic for unexpected commands, URLs, prompts, or payloads.
- Use behavior baselines to detect when a tool performs actions outside its expected purpose.
Bottom line
Trend Microโs findings show that MCP security has not kept pace with MCP adoption. The protocol is becoming important for agentic AI, but the public server ecosystem still contains many weak implementations.
Enterprises should not assume that a public MCP server is safe because it appears popular, verified, or actively maintained. The better model is zero trust: audit the code, limit permissions, monitor behavior, and isolate every tool before giving it access to real data or production systems.
FAQ
Trend Micro found 4,982 security issues across 2,259 affected public MCP servers after reviewing 9,695 servers from public directories. The issues included missing authentication, arbitrary file access, command injection, SSRF, SQL injection, prompt injection, and code injection.
MCP servers can connect AI agents to files, databases, cloud systems, APIs, terminals, and internal business tools. If a server has weak authentication or unsafe input handling, attackers may use it to access data, run commands, or manipulate agent behavior.
No. Trend Micro found that popularity, repository activity, and verification status do not reliably indicate MCP server security. Organizations should review the code and security controls before using any third-party MCP server.
The most common issue in the study was missing authentication, followed by arbitrary file access, denial of service, command injection, SSRF, SQL injection, prompt injection, cross-site scripting, code injection, and authorization bypass.
Organizations should audit third-party MCP server code, enforce authentication, use least privilege, validate all tool inputs, run servers in isolated environments, inspect traffic between agents and servers, and monitor for unusual tool behavior.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages