For a year, the security case against the Model Context Protocol has been an argument about language. Tool poisoning hides instructions in a tool's description. The confused-deputy problem tricks a trusted client into wielding its authority on an attacker's behalf. Prompt injection that escalates to code execution works by smuggling text past a model. The threat model has been, essentially, the words are dangerous.
A new preprint suggests we have been looking one layer too high.
The scan#
VIPER-MCP — described in arXiv paper 2605.21392 — is an automated auditing framework that pointed itself at 39,884 open-source MCP server repositories and came back with 106 previously-unknown vulnerabilities, every one confirmed with a working exploit. 67 have already been assigned CVE IDs.
The striking part is not the count. It is the category. These are not novel machine-learning failures. They are the three most boring entries in the appsec catalogue:
- Command injection (CWE-078): a tool argument gets interpolated into a shell string handed to
execorspawn. - SSRF (CWE-918): a tool argument decides the URL of an outbound request, opening the door to internal-network scanning and cloud-metadata theft.
- Path traversal: insufficient path validation lets a tool read files it was never meant to touch.
None of that is specific to AI. A CGI script in 1999 could have shipped every one of these bugs. What is specific to AI is who now reaches the sink.
Why the model is the exploit primitive#
In a normal web service, an attacker has to find an input, understand the parameter, and craft a payload. In an MCP server, the LLM does the crafting. The tool handler exposes its arguments as a schema; the model fills them in from natural-language intent; and the resulting values flow straight into exec, into fetch, into open. The agent is, functionally, a remote, cooperative fuzzer that will happily walk right up to any sink you leave undefended.
The LLM isn't the vulnerability. It's the delivery mechanism that turns a dusty command-injection bug into a remotely reachable one.
That reframing is the one genuinely non-obvious idea here, and VIPER-MCP's design is built around proving it. Static taint analyzers have flagged suspicious flows for decades and are notorious for crying wolf. What sets this framework apart is a second, dynamic stage: after its two-pass static analysis resolves each alert down to the concrete tool-handler function, a feedback loop evolves the prompt itself — mutating and scoring natural-language inputs until the model actually triggers the vulnerable call and emits a real proof-of-concept. That is the difference between a warning and a CVE, and it is why 67 of these are now tracked bugs rather than lint noise. (An earlier framework, MCPGuard, showed the static half of this idea; VIPER's contribution is closing the loop on exploitability.)
The exposure multiplier#
A command-injection bug in a script nobody can reach is a curiosity. These are not that. In late April 2026, Censys counted 12,520 internet-exposed MCP services — and roughly 40% of them had no authentication at all. Within about a week that exposed count had more than doubled. MCP was designed for local, trusted-network use; the spec never required auth, and the deployment reality has raced ahead of that assumption. A registry audit earlier in the year found a near-identical 41% of official servers shipping without authentication.
Stack the two findings together and the picture is unpleasant: a large, fast-growing population of servers, a substantial fraction reachable without credentials, running handler code that an automated tool can break in bulk. OWASP's 2026 data still puts prompt injection at the top of production agentic failures — but that is the failure people are watching for. The taint-style bugs are the ones shipping quietly underneath.
What to actually do#
The fix is not novel, which is precisely the point. If you run an MCP server:
- Treat every
tools/callargument as hostile input to a public endpoint — because with ~40% of servers unauthenticated, for many that is literally true. Start with proper authentication on remote servers. - Never build a shell string from a tool argument. Use array-form process spawning, allowlist commands, and drop the shell entirely where you can.
- Constrain SSRF sinks: allowlist destination hosts, block link-local and metadata ranges, and refuse redirects to internal addresses.
- Canonicalize and jail file paths before any read, and reject anything that escapes the sandbox root.
- Run a taint scanner in CI and exercise the handlers like an adversary would, not just for the happy path.
The MCP ecosystem spent its first year worrying that models would be talked into doing something bad. VIPER-MCP is a reminder that the older worry never left: sometimes the model doesn't need to be tricked at all. It just needs a handler that forgot to check its inputs.



