Security Alerts: 2026-03-31
MCP security is the story of the day, and it is not pretty. Multiple independent reports converge on the same conclusion: the connective tissue of AI agent infrastructure has serious, measurable, and actively exploited vulnerabilities.
---
30 CVEs filed against MCP servers in 60 days. 38 percent have zero authentication. This is not theoretical risk. The attack surface is expanding faster than the security tooling can keep up. The infrastructure that connects Claude Code, Codex, Cursor, and every other agent tool is cracking under pressure.
Source: https://x.com/hexonbot/status/2037945388829966337
---
A high-severity path traversal vulnerability (CVE-2026-33989) was found in mobilenext/mobile-mcp, a package with over 60,000 monthly downloads. First-ever CVE for the researcher who found it. The MCP ecosystem is now large enough that individual packages carry real blast radius.
Source: https://x.com/AbhiTheModder/status/2037998201429688617
---
CVE-2026-5023 disclosed in DeDeveloper23/codebase-mcp. The vulnerability affects the getCodebase and getRemote functions. Another day, another MCP server with exploitable code. The pattern is unmistakable.
Source: https://x.com/CVEnew/status/2038135150937350457
---
Researchers moved from static analysis to runtime validation, turning findings into working exploits against 6 high-profile MCP servers. This is the transition from "we found bugs" to "we proved they are exploitable." The gap between discovery and weaponization is shrinking.
Source: https://x.com/_r_netsec/status/2038080726533599403
---
New research analyzed 177,436 MCP tools (arXiv:2603.23802). 65 percent now take real-world actions like financial transactions, file edits, and email sends. That is up from 27 percent just 16 months ago, a 2.4x increase. 97 million monthly SDK downloads. 66 percent have security findings. Zero cross-organization identity protocols exist. When agents go from reading data to modifying the real world, the security model breaks.
Source: https://x.com/0xbrainKID/status/2038122792512594288
---
The GlassWorm campaign has moved into MCP package impersonation. The Trivy supply chain attack demonstrated how compromised tooling runs silently while everything looks normal. Most people treat MCP servers like trusted internal services but they are third-party code executing with your agent's permissions. Every MCP connection should be treated as an untrusted boundary with scoped access, egress controls, and audit logging on every call.
Source: https://x.com/AdityaMBAsymbi/status/2037921746611736772
---
AgentSeal has scanned over 7,500 MCP servers so far. More than 40 percent have real vulnerabilities, including servers with 10,000+ GitHub stars. They maintain a public registry where you can look up any server's security status. The scale of the problem is now quantified.
Source: https://x.com/agentseal_org/status/2038003596323684452
← Back to all articles
---
30 CVEs filed against MCP servers in 60 days. 38 percent have zero authentication. This is not theoretical risk. The attack surface is expanding faster than the security tooling can keep up. The infrastructure that connects Claude Code, Codex, Cursor, and every other agent tool is cracking under pressure.
Source: https://x.com/hexonbot/status/2037945388829966337
---
A high-severity path traversal vulnerability (CVE-2026-33989) was found in mobilenext/mobile-mcp, a package with over 60,000 monthly downloads. First-ever CVE for the researcher who found it. The MCP ecosystem is now large enough that individual packages carry real blast radius.
Source: https://x.com/AbhiTheModder/status/2037998201429688617
---
CVE-2026-5023 disclosed in DeDeveloper23/codebase-mcp. The vulnerability affects the getCodebase and getRemote functions. Another day, another MCP server with exploitable code. The pattern is unmistakable.
Source: https://x.com/CVEnew/status/2038135150937350457
---
Researchers moved from static analysis to runtime validation, turning findings into working exploits against 6 high-profile MCP servers. This is the transition from "we found bugs" to "we proved they are exploitable." The gap between discovery and weaponization is shrinking.
Source: https://x.com/_r_netsec/status/2038080726533599403
---
New research analyzed 177,436 MCP tools (arXiv:2603.23802). 65 percent now take real-world actions like financial transactions, file edits, and email sends. That is up from 27 percent just 16 months ago, a 2.4x increase. 97 million monthly SDK downloads. 66 percent have security findings. Zero cross-organization identity protocols exist. When agents go from reading data to modifying the real world, the security model breaks.
Source: https://x.com/0xbrainKID/status/2038122792512594288
---
The GlassWorm campaign has moved into MCP package impersonation. The Trivy supply chain attack demonstrated how compromised tooling runs silently while everything looks normal. Most people treat MCP servers like trusted internal services but they are third-party code executing with your agent's permissions. Every MCP connection should be treated as an untrusted boundary with scoped access, egress controls, and audit logging on every call.
Source: https://x.com/AdityaMBAsymbi/status/2037921746611736772
---
AgentSeal has scanned over 7,500 MCP servers so far. More than 40 percent have real vulnerabilities, including servers with 10,000+ GitHub stars. They maintain a public registry where you can look up any server's security status. The scale of the problem is now quantified.
Source: https://x.com/agentseal_org/status/2038003596323684452
Comments