In this blog post, we’ll delve into the world of the Model Context Protocol (MCP), an open standard designed to facilitate seamless integration between AI models and various data sources, tools, and systems. We’ll explore how its simplicity and widespread adoption have led to a proliferation of servers without basic security features, making them vulnerable to attacks.
Our goal is to raise awareness about the critical need for mandatory authentication in the MCP protocol, and we believe that this should serve as a wake-up call for other standards to follow suit.
The Model Context Protocol: A Primer
The MCP follows a client-host-server architecture, built on JSON-RPC using two transport mechanisms:
- Sub-process, using Standard Input and Output,
- Independent process, using streamable HTTP or Sever-side Events (SSE).
The protocol standard’s simplicity coupled with its de facto compatibility with existing open- and closed-weight Large Language Models (LLMs) made it an instant hit, with widespread adoption from the open-source community and almost all leading LLM trainers.
As of version 2024-11-05, the MCP standard has already been used in over 4800+ MCP server implementations, according to the MCP.io website. Unfortunately, this version didn’t include an authorization mechanism in its specification, even though the draft version included it as an optional feature.
The next version, 2025-03-26, re-introduced the authorization specification as an optional feature yet again.
(Authorization – MCP Specification)
Double-Edged Primitives
By design, the MCP protocol standard mandates servers to publish three fundamental building blocks:
- Prompts
- Resources
- Tools
From a client perspective, these three primitives represent:
- System Instructions
- Data Access
- Function Execution
However, from a malicious perspective, the same three primitives represent:
- Information Leakage
- Data Exfiltration
- Remote Command Execution
As an example of this, Invariant Labs recently published a new MCP attack vector called Tool Poisoning Attacks, which utilizes the three primitives at once to achieve critical vulnerabilities on the host system.
In this attack, the MCP server itself acts maliciously, and as previously mentioned, it is unauthenticated by design, so this will end up as a “wild west” of emerging attack vectors across all AI-integrated systems or services.
A Test Case
To test the impact of such specifications firsthand, we created the following Docker Compose environment. (Note that some information is intentionally redacted to avoid fingerprinting the MCP implementor.)
We simply ran docker-compose up then fired up MCP Inspector:
This immediately shows us that we can connect to and use the MCP Server without authentication at all:
Additionally, this specific MCP Server provides a tool that executes SQL queries against the Postgres database as functionally expected.
This means we are one step away from exposing our entire database externally by not changing the listening hostname.
The important question here is: Are we ahead of the curve in terms of MCP security or not?
A Quick Exercise: Searching for MCP Servers
To answer the question above, we performed a quick exercise.
- We used Grep.app to search GitHub public repositories for MCP servers’ common HTTP headers.
- We used these headers as search queries on Shodan.
- Bingo!
We discovered two hosts with a public MCP server over HTTP protocol. One of them was already flagged as “compromised” from Shodan, and the other one was publishing n8n, Open WebUI and even Ollama Web Applications before it was apparently taken down.
It is worth noting that Ollama servers – just like MCP servers – are unauthenticated by default and have already had their fair share of remote code execution vulnerabilities (CVE-2024-37032).
The Takeaway: Mandatory Authentication for MCP
In conclusion, we believe that authentication is a mandatory requirement for any standard that involves remote execution of code or sensitive data access. The MCP protocol should require authentication to prevent implementors from claiming full specification compliance while omitting authentication altogether. This will help prevent insecure deployments and ensure the integrity of AI-integrated systems and services.
As the MCP protocol continues to gain traction, we hope this blog post serves as a wake-up call for the community to prioritize security and adopt mandatory authentication.