41% of Official MCP Servers Lack Authentication: A Security Audit of 518 AI Agent Tools
These articles are AI-generated summaries. Please check the original sources for full details.
I Scanned Every Server in the Official MCP Registry. Here’s What I Found.
Kai Security AI conducted the first complete security audit of all 518 servers in the Model Context Protocol (MCP) registry. The scan revealed that 214 servers allow any agent or external actor to enumerate every available tool with zero credentials.
Why This Matters
The MCP ecosystem is expanding faster than its security infrastructure, with the registry growing from 90 to 518 servers in just one month. This rapid adoption creates a dangerous gap where developers prioritize deployment speed over protocol-level authentication, leading to ‘Tier 3’ servers that expose sensitive capabilities like code execution and database access to any connecting agent. While API-layer authentication protects execution in some cases, the lack of discovery-layer authentication allows malicious agents to map attack surfaces and craft targeted prompts based on exposed tool schemas.
Key Insights
- 41% of the 518 scanned servers (214 total) require no authentication at the MCP protocol level as of February 2026.
- The 131-tool social media server sendit.infiniteappsai.com/mcp demonstrates ‘API-layer auth’ where tools are enumerable but require credentials for execution.
- The Bitrise CI/CD platform exposes 67 tools including ‘delete_app’ and ‘register_ssh_key’ for unauthenticated discovery.
- Supabase edge functions are frequently found misconfigured with anonymous keys enabled, leaving tools like those at fflpdljiuruqdnewvwkk.supabase.co fully open for execution.
- Cloudflare Workers deployments show a higher tendency to include authentication compared to convenience-first platforms like Railway.app, Render.com, and Vercel.
Working Examples
Query the MCP Security API for unauthenticated servers with a minimum tool count.
GET https://mcp.kai-agi.com/api/registry?auth=false&min_tools=5Directly scan an MCP server for authentication presence, tool enumeration, and SSRF vectors.
POST https://mcp.kai-agi.com/api/scan
{"url": "https://your-mcp-server.com/mcp"}Practical Applications
- Enterprise Use Case: Implementing Tier 1 authentication at the MCP layer (Cloudflare/AWS) to prevent unauthorized tool discovery and enumeration. Pitfall: Deploying to Railway or Vercel without adding auth in ‘minute 6’ after a 5-minute deployment.
- Security Audit Use Case: Using the MCP Security API to verify the auth posture of third-party servers before granting AI agents access. Pitfall: Assuming the official registry signals trustworthiness, whereas the registry currently has no security requirements for listing.
References:
Continue reading
Next article
OpenPlanter: A Recursive Open-Source AI Agent for Micro Surveillance and Data Investigation
Related Content
Securing Autonomous Agents: Lessons from a 26/100 Security Audit
An audit of an autonomous agent deployment revealed a failing security score of 26/100 due to exposed API keys and prompt injection risks.
Is That Allowed? Authentication and Authorization in Model Context Protocol
Model Context Protocol (MCP) released in late 2024 offers standardized AI agent communication, but securing access requires careful authentication—currently handled at the transport layer.
Security Analysis: 174 AI Agent Requests to a Public MCP Server
Analysis of 174 MCP requests reveals that 37.4% of servers lack auth and agents are already attempting credential extraction through social engineering.