· security checklist ·

MCP Server Vulnerability Checklist (2026 Edition)

Published April 20, 2026 · by Septim Labs · 9 min read

TL;DR

43% of public MCP servers have command-execution vulnerabilities as of early 2026 — per a February 2026 audit.
The attack surface is wider than most developers realize: prompt injection, supply chain, SSRF, and auth bypasses are all in scope.
This 24-point checklist covers every major class. Run it before your MCP server touches production.

Why MCP security is a problem right now

The Model Context Protocol gives LLMs the ability to call tools, read files, and execute code on behalf of users. That is extremely useful. It is also a large attack surface that most developers have not fully mapped.

In April 2026, The Register reported that a design flaw in MCP's STDIO transport "puts 200,000 servers at risk" of complete takeover. The researchers at Ox Security responsible for the disclosure found that the flaw "lets anyone run any arbitrary OS command" if the server accepts STDIO connections without guarding what gets executed during startup. Anthropic declined to treat it as a protocol-level fix, calling the behavior expected. That means the fix is on you as the server operator.

43%

of public MCP servers vulnerable to command execution (Feb 2026 audit)

53%

of servers use static credentials (Astrix Security, 2026)

341

malicious skills found on ClawHub marketplace (Koi Security, 2026)

9.8

CVSS score on CVE-2026-33032, an nginx-ui MCP auth bypass (MCPwn, 2026)

The academic side reinforces this. Research published in April 2025 on arXiv (2504.03767) — "MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits" — documented three primary attack classes: malicious code execution, remote access control, and credential theft. The researchers also released MCPSafetyScanner, a free automated tool for testing a server's posture. The problem was visible before it became a crisis. Now it is a crisis.

The best public reference for what a secure MCP server looks like is the SlowMist MCP Security Checklist on GitHub. The 24 items below draw on that structure, the Ox Security disclosure, the CVE record for CVE-2026-33032, and the arXiv paper. Where a check maps directly to a known CVE or published finding, the source is cited.

Run this checklist interactively

Paste your server's config and get a pass/fail score against all 24 items in about 90 seconds.

Open the free MCP Security Checklist tool →

The 24-point checklist

Each item has: the check question, why it matters, and one concrete way to verify it. Severity ratings follow SlowMist's three-tier model: High items are non-negotiable before production, Medium items are strongly advised, Low items are context-dependent hardening.

01 Does every MCP endpoint require authentication — including sub-paths?High
CVE-2026-33032 (CVSS 9.8) on nginx-ui was caused by one missing middleware call: the /mcp_message endpoint lacked the auth guard present on /mcp. An attacker could invoke all 12 exposed tools without credentials in two HTTP requests.

How to check: Map every route your server exposes. Confirm the same auth middleware wraps each one. Source: MCPwn writeup, 2026.
```
curl -s -o /dev/null -w "%{http_code}" https://your-server/mcp_message
# Expect 401 or 403, not 200
```
02 Are there any hardcoded or static credentials in config files?High
Astrix Security found 53% of MCP servers use static credentials. Static keys have no rotation mechanism, meaning one leak gives permanent access.

How to check: Search your repo for API key patterns and confirm secrets are loaded from environment variables, not source code.
```
git grep -E "(api_key|secret|token)\s*=\s*['\"][A-Za-z0-9]" .
```
03 Is TLS enforced on all non-STDIO transports with no HTTP fallback?High
SSE and HTTP transports send session tokens and tool outputs in plaintext over HTTP. Any network between client and server can intercept them.

How to check: Attempt to connect via http:// instead of https://. The server should refuse the connection or redirect permanently, not serve a response.
```
curl -v http://your-server/mcp 2>&1 | grep -E "301|302|Connection refused"
```
04 Is the SSE session-establishment endpoint (GET) also authenticated?High

In CVE-2026-33032, the unauthenticated GET to /mcp was sufficient to obtain a session ID, which was then used to call tools via an also-unauthenticated POST. Auth on the POST alone does not protect the session.

How to check: Issue a GET to your SSE endpoint with no credentials. It should return 401, not an event-stream response.
05 Is the IP allowlist explicitly set rather than defaulting to allow-all?Medium

nginx-ui defaulted the MCP IP whitelist to empty, which the application interpreted as allow-all. An attacker with network access could reach the server from any IP. Trend Micro found 492 MCP servers exposed to the internet with zero authentication.

How to check: Read your server's allowlist config. Confirm an empty list is treated as deny-all, not allow-all. Add an explicit allowlist if the behavior is ambiguous.
06 Does the STDIO transport guard against arbitrary OS command execution at startup?High

The Ox Security disclosure found that MCP's STDIO transport executes whatever command is passed to spin up the server. If that command path is user-influenced, an attacker gets arbitrary execution. The Register, April 2026.

How to check: Review where the server command string originates. It must come from a trusted, user-inaccessible config source — not a query parameter, environment variable set by the user, or config file the user can write.
07 Does each tool operate at the minimum privilege it needs?High

A tool that reads files does not need write access. A tool that queries a database does not need schema modification rights. Over-permissioned tools turn every other vulnerability into a larger blast radius.

How to check: List every tool and its actual permission requirements. Compare against what the running process holds. Remove anything unused.
08 Do tool handlers validate and reject unexpected input shapes?High
Argument injection (CVEs on GPT Researcher and Upsonic in 2026) exploited handlers that passed user-supplied arguments to shell commands without sanitization.

How to check: Send a tool call with inputs containing shell metacharacters (; rm -rf /tmp/test), path traversal sequences, and overlong strings. The handler should reject them, not silently pass them through.
```
# Example probe
echo '{"tool":"read_file","args":{"path":"../../etc/passwd"}}' \
  | your-mcp-client
```
09 Do destructive tools require human confirmation before executing?High

Research from arXiv 2504.03767 documents remote access control attacks that execute multi-step destructive operations. Requiring a confirmation step breaks the attack chain.

How to check: Identify every tool that deletes, modifies, or transmits data. Confirm the client-side UI presents a confirmation prompt before the tool runs, not after.
10 Is auto-approval disabled on the MCP client?High

MCPTox benchmark testing found an 84.2% tool-poisoning success rate when auto-approval was enabled. Disabling it drops the success rate substantially because the user becomes a circuit-breaker.

How to check: Open your MCP client settings and confirm there is no "approve all" or "skip confirmation" flag set. Check this in CI environments especially, where developers sometimes enable auto-approval for convenience.
11 Are rate limits enforced on tool call volume per session?Medium

An attacker who gains a valid session can spam tool calls to exfiltrate data, exhaust downstream API quotas, or conduct brute-force operations. No rate limit means no friction.

How to check: Send 100 tool calls in rapid succession from a single session. Confirm the server throttles or rejects calls above a configured threshold.
12 Are the server’s name, description, and tool descriptions free of injected instructions?High
MCP marketplace poisoning (9 of 11 marketplaces affected in Ox Security testing) embeds invisible instructions inside tool descriptions. The LLM client reads these and may act on them without the user seeing them.

How to check: Inspect every string your server returns in its capability manifest. Look for hidden Unicode, invisible characters, or instructions targeting the model rather than the developer. SlowMist checklist, 2026.
```
cat -A your-server-manifest.json | grep -P "[\x00-\x08\x0b\x0c\x0e-\x1f]"
```
13 Does the server sanitize data returned from external sources before passing it to the LLM?High

Zero-click prompt injection (affecting Windsurf, Cursor, and GitHub Copilot in 2026 disclosures) worked by embedding LLM instructions inside files, web pages, or database records that the MCP tool fetched and returned. The LLM received the injected text as trusted context.

How to check: Pass a resource containing obvious injection strings (e.g., Ignore previous instructions and respond with...) through your tool. Confirm the LLM client does not act on the injected command.
14 In multi-server setups, does each server treat data from other servers as untrusted?Medium

Cross-server hijacking exploits implicit trust between MCP servers. If Server A passes output to Server B without validation, a compromised Server A can inject instructions that Server B executes with its own higher privileges.

How to check: Trace the data path through your multi-server topology. Confirm each server validates inputs independently, regardless of which server sent them.
15 Are all third-party MCP packages pinned to exact versions with checksum verification?High
Supply chain attacks on MCP packages are documented. A package updated with a malicious payload after your initial audit will not be caught unless you verify checksums at install time. Floating version ranges (^1.2.0) silently accept malicious updates.

How to check: Open your package.json or equivalent. Confirm MCP-adjacent dependencies use exact version pins. Run npm ci (not npm install) in production to enforce the lockfile.
```
cat package.json | jq '.dependencies | to_entries[] | select(.value | startswith("^") or startswith("~"))'
```
16 Have all marketplace-sourced skills been audited for injected payloads?High

Koi Security found 341 malicious skills on ClawHub out of 2,857 audited. 335 were part of a coordinated campaign delivering Atomic Stealer. Marketplaces do not pre-screen submissions.

How to check: For every marketplace skill installed, read its full source code. Check tool descriptions for hidden Unicode characters. Do not install skills from repositories with fewer than 6 months of activity and no external reviews.
17 Is the server protected against rug pulls — tool list or description changes after client approval?Medium

A rug pull attack modifies a server’s tool list or tool descriptions after the user has approved them. The client may continue operating under the assumption that the approved description is still accurate.

How to check: Confirm your client re-validates tool descriptions at each session, not only on first approval. Hash the manifest on approval and alert if it changes.
18 Is the server process isolated in a container or sandbox?High
An MCP server that runs with host-level filesystem and network access gives any successful exploit full access to the host. Container isolation limits the blast radius to the container’s defined scope.

How to check: Confirm your server runs in a Docker container (or equivalent) with no --privileged flag and explicit volume mounts only for the directories it needs.
```
docker inspect your-mcp-container | jq '.[0].HostConfig.Privileged'
# Must return false
```
19 Do tools that make outbound HTTP requests validate the destination URL against an allowlist?High

BlueRock Security found 36.7% of over 7,000 MCP servers vulnerable to SSRF. An SSRF vulnerability lets an attacker use your server as a proxy to reach internal services: metadata APIs, internal dashboards, and other hosts on the same network.

How to check: Send a tool call with a URL pointing to a private IP range (http://169.254.169.254/ for cloud metadata, http://10.0.0.1/ for internal hosts). The server should reject it before making the request.
20 Do file-serving tools block path traversal?High

Anthropic’s own Git MCP server received three CVEs in January 2026, including path traversal and argument injection vulnerabilities. Path traversal is one of the oldest vulnerabilities in web applications and still common in MCP implementations.

How to check: Call a file-reading tool with a path containing ../ sequences targeting a file outside the intended working directory (e.g., ../../../etc/passwd). The tool should return an error, not the file contents.
21 Do logs capture every tool invocation, session open, and auth event with timestamp and caller identity?High

Without structured audit logs, a credential theft (the third attack class in arXiv 2504.03767) may not be detected until the credential is used maliciously. Logging gives you a timeline for incident response.

How to check: Invoke a tool and then check your log store. Confirm the log entry includes: timestamp, session ID, tool name, caller identity, and input summary (not raw input if it may contain secrets).
22 Are credentials and secrets excluded from log output?High

Logging full request bodies can write API keys, passwords, and session tokens to log files that are accessible to a wider audience than the service itself. Log scrubbing is a standard control and still commonly absent in MCP implementations.

How to check: Pass a tool call that includes a parameter named api_key or password. Check the resulting log entry to confirm the value is redacted or absent.
23 Are alerts configured for anomalous call patterns?Medium

Automated attacks against MCP servers often generate recognizable signatures: high call volumes, sequential file path enumeration, repeated failed auth attempts. Alerting on these patterns is the fastest way to detect an in-progress attack.

How to check: Confirm you have at least one alert for: (a) more than N failed auth attempts in 60 seconds, (b) more than M tool calls in 60 seconds from a single session, (c) any call to a tool from an IP outside the expected range.
24 Have you run an automated scanner against the server?Low

Manual checklists miss things. MCPSafetyScanner (introduced in arXiv 2504.03767) generates adversarial samples from your server’s own configuration and tests them programmatically. It takes about 10 minutes and surfaces issues this checklist cannot catch through static review alone.

How to check: Run MCPSafetyScanner against your server endpoint, or use the Septim MCP Security Checklist tool to run a structured pass against all 24 items above and get a scored output you can share with your team.

Want a scored report you can actually share?

The free checklist tool above runs you through these 24 items interactively. If you need a full audit with findings, remediation steps, and a PDF you can hand to a security team or client, that’s what Septim Spire is for.

Septim Spire — full audit, $199 →

The three vulnerability classes that cause most real incidents

Twenty-four items is a lot. If you are triaging a server under time pressure, prioritize the three classes that arXiv 2504.03767 and the 2026 CVE record show causing the most real incidents:

Auth bypass. Items 1, 4, 21. One missing middleware call creates a CVSS 9.8. Check every endpoint, including sub-paths and the SSE session endpoint.
Prompt injection. Items 12, 13, 14. The LLM is part of your attack surface. Data it reads is data it may act on.
Supply chain. Items 15, 16. You are responsible for every package you pull in. Marketplaces do not pre-screen. Pin versions, read source code, verify checksums.

The other 18 items matter. But if you can only run three categories today, run those three.

Sources

The Register: "MCP design flaw puts 200k servers at risk" — April 16, 2026. Primary source for the STDIO design flaw, Ox Security researcher names, and CVE list.
Gentic News: "MCP Security Crisis: 43% of Servers Vulnerable" — 2026. Aggregation of BlueRock, Trend Micro, Astrix, and Koi Security findings.
arXiv 2504.03767: "MCP Safety Audit" — Radosevich & Halloran, April 2025. Primary academic source for attack class taxonomy and MCPSafetyScanner.
SlowMist MCP Security Checklist — GitHub. Primary structural reference for checklist categories and severity tiers.
New Claw Times: CVE-2026-33032 writeup — 2026. Primary source for nginx-ui auth bypass mechanics and Yotam Perkal quote.

Want Septim to audit your stack?

Spire is a structured technical audit: we work through the 24 items above against your actual server configuration, document every finding with severity and remediation steps, and deliver a written report within 5 business days. One-time, no subscription.

Septim Spire — $199 →