Security & TrustSubscribers only Jul 13, 2026 at 02:188Add to bookmarks

The first dedicated report on MCP security catalogs a debt that is growing faster than the ecosystem itself.
A first dedicated report - « State of MCP Security 2026 » by Canopii - lists the vulnerabilities and bad practices of the Model Context Protocol ecosystem. The message is clear: security has not kept up with the pace of adoption.
Published on July 12, 2026 (Canopii PDF), the report analyzes public and private MCP servers and identifies several classes of weaknesses: exposed tokens/credentials, lack of server-side origin control, prompt injection via tool descriptions, unpinned dependencies, and permissive scope management.
MCP exploded in 2025-2026 because it solves a real problem: connecting LLMs to tools without coding N integrations. But the speed of adoption has bypassed hygiene. Three patterns emerge:
The report estimates (to be confirmed by third-party audits) that ~40% of the public MCP servers tested expose at least one secret key in their repo or default config, and that ~65% do not implement origin checks on calls. It proposes a 12-point checklist: strict version pinning, minimal scopes, signing of tool descriptions, on-demand logging, and sandboxing per server.
For a CTO deploying agents: treat MCP as third-party unaudited code. Sandbox per server, strict scopes, manual review of tool descriptions, monitoring of agent outputs. For an investor: the MCP security layer becomes a real market - expect to see 2-3 specialized startups raise funds within 6 months.
A hardened MCP profile published by Anthropic or OpenAI, a public CVE on a popular MCP server, and the first acquisition of an MCP-security startup by an established cyber actor.
Create a free account to access all our content and the weekly review.
Article produced by artificial intelligence, reviewed under human editorial control.
Sign in to join the discussion.
La sécurité doit suivre l'innovation, mais sans tout bloquer. Comment faire ?
Comment concilier innovation et sécurité dans MCP ? La dette de sécurité grandit trop vite.
L'innovation est importante, mais la sécurité ne doit pas être négligée. Comment trouver un équilibre ?
La dette de sécurité qui s'accumule dans MCP est inquiétante. Il faut absolument renforcer les mesures de sécurité pour suivre l'évolution rapide de la technologie.
La sécurité est vraiment négligée au profit des nouveautés. Comment faire évoluer les mentalités ?
Intéressant, mais cette dette de sécurité ne serait-elle pas inévitable avec une techno qui évolue si vite ?
L'évolution rapide de MCP est un vrai problème, mais on a l'impression que la sécurité passe après les fonctionnalités. Comment faire pour que ça change ?
La sécurité des MCP est-elle vraiment prise au sérieux ?