A new research report out today from cyber risk management company Bitsight Technologies Inc. warns about the security posture of the rapidly growing Model Context Protocol ecosystem by revealing that roughly 1,000 MCP servers are currently exposed on the public internet with no authorization controls in place.

MCP is an open-source standard designed to let large language model-powered applications connect directly to external tools, application programming interfaces, databases and workflows. The protocol allows AI systems to invoke real-world actions such as querying databases, executing commands, or calling third-party services.

While the MCP specification recommends using OAuth 2.1 for authorization, the report explains that authentication is technically optional. As a result, insecure deployments are widespread.

Bitsight’s researchers used scanning techniques to search for MCP servers reachable over HTTP-based transports and tested standard MCP endpoints such as /mcp, /sse and root paths. They then sent valid MCP initialization requests and analyzed server responses to identify exposed servers that accepted connections without any form of authentication.

In numerous instances, the researchers could retrieve full lists of available tools, resources and prompts directly from the servers. Several of the exposed MCP servers were also found to be tied to highly sensitive back-end systems.

Examples in the report include servers that allowed direct management of Kubernetes clusters, including executing commands inside live container pods, accessing customer relationship management platforms, and sending bulk WhatsApp messages suitable for spam operations. In some cases, MCP servers exposed tools capable of executing arbitrary shell commands. In doing so, they created a clear path to full system compromise.

The researchers warn that the risk is amplified by the trust assumptions developers often make when connecting internal tools to MCP servers.

Once an MCP server is exposed over the internet without authorization, it can become a proxy that attackers can use to pivot into otherwise well-protected databases, file systems and paid API services. The researchers also note that even MCP servers deployed inside corporate networks can be dangerous if attackers gain internal access through lateral movement.

The report concludes with a call for organizations experimenting with MCP to treat authorization as a mandatory requirement, not a deployment option.

The researchers recommend that any company using MCP servers should use best practices, including restricting MCP servers to internal networks whenever possible, using local transport methods such as stdio for internal applications and enforcing strong authentication mechanisms when public exposure is unavoidable.

Image: SiliconANGLE/Ideogram