Between January and February 2026, security researchers filed 30 CVEs against MCP server implementations. 82% of audited servers had path-traversal vulnerabilities. The MCP ecosystem has a security crisis, and most procurement teams have no structured way to evaluate it.
Why the MCP attack surface is wider than it looks
MCP servers expose tools to LLMs over JSON-RPC. The model decides when to call them; you decide what they're allowed to do. The tools have access to your filesystem, your shell, your databases, and (transitively) any service whose credentials you've handed the server. A path-traversal bug in a single tool turns into "the model just read your ~/.ssh/id_rsa".
Three categories of failure account for almost every MCP CVE:
- Path traversal — tool that takes a filename accepts
../../etc/passwd. Easy to find with fuzzing, ubiquitous in the wild. - Command injection — tool that wraps
sh -cdoesn't sanitize. Model is the attacker now. - Over-privileged credentials — server holds a Postgres URL with full DBA rights when read-only would suffice. The blast radius of a prompt-injection attack equals the credentials' scope.
The OWASP MCP Top 10
OWASP's Model Context Protocol Top 10 (draft Q1 2026) formalizes the threat model. BenchLytix's automated security scan evaluates every listed server against all ten categories — prompt injection, over-privileged tools, unsafe deserialization, missing rate-limits, and so on — and folds the worst-case finding into a 5-color severity badge:
- Red — verified secret leak or critical vulnerability. Don't deploy.
- Orange — high-severity finding. Sandbox required.
- Yellow — medium vulnerabilities or disallowed licenses. Review carefully.
- Green — no findings above MEDIUM after the most recent scan.
- Grey — scanner crash or insufficient data. Treat as "unknown", not "safe".
We deliberately don't emit a numeric "security score" — color is a defensible severity signal; a number invites false-precision and gaming.
Supply chain matters as much as the server itself
The TeamPCP campaign (Feb–March 2026) compromised 60+ npm packages used as MCP-server dependencies. The server's own code passed every static-analysis check; the malicious payload arrived as a minor version bump of a transitive dep.
BenchLytix tracks supply-chain CVEs via OSV.dev. When a CVE is disclosed against any package in a verified agent's dependency tree, we re-scan within minutes and flip the badge color if the severity warrants it.
What to ask before deploying an MCP server
- What's its current BenchLytix security badge color?
- What credentials does it require, and can you scope them narrower (read-only, single-database, single-table)?
- Does the server run inside a sandbox (network egress allowlist, read-only filesystem, dropped capabilities)?
- How was the server's scoring assembled? See /docs/scoring-methodologyfor our methodology.
A verified-and-green badge isn't a guarantee — security is never zero-risk — but it shifts the question from "is this server safe?" (unknowable) to "has this server been independently scanned and what did the scan find?" (answerable).
Further reading
- /security — how BenchLytix scores security and where to report vulnerabilities.
- /docs/scoring-methodology— the full rubric.
- /leaderboard — current per-category rankings, security badge inline.