For a year, the security case against the Model Context Protocol has been an argument about language. Tool poisoning hides instructions in a tool's description. The confused-deputy problem tricks a trusted client into wielding its authority on an attacker's behalf. Prompt injection that escalates to code execution works by smuggling text past a model. The threat model has been, essentially, the words are dangerous.

A new preprint suggests we have been looking one layer too high.

The scan#

VIPER-MCP — described in arXiv paper 2605.21392 — is an automated auditing framework that pointed itself at 39,884 open-source MCP server repositories and came back with 106 previously-unknown vulnerabilities, every one confirmed with a working exploit. 67 have already been assigned CVE IDs.

The striking part is not the count. It is the category. These are not novel machine-learning failures. They are the three most boring entries in the appsec catalogue:

None of that is specific to AI. A CGI script in 1999 could have shipped every one of these bugs. What is specific to AI is who now reaches the sink.

Why the model is the exploit primitive#

In a normal web service, an attacker has to find an input, understand the parameter, and craft a payload. In an MCP server, the LLM does the crafting. The tool handler exposes its arguments as a schema; the model fills them in from natural-language intent; and the resulting values flow straight into exec, into fetch, into open. The agent is, functionally, a remote, cooperative fuzzer that will happily walk right up to any sink you leave undefended.

The LLM isn't the vulnerability. It's the delivery mechanism that turns a dusty command-injection bug into a remotely reachable one.

That reframing is the one genuinely non-obvious idea here, and VIPER-MCP's design is built around proving it. Static taint analyzers have flagged suspicious flows for decades and are notorious for crying wolf. What sets this framework apart is a second, dynamic stage: after its two-pass static analysis resolves each alert down to the concrete tool-handler function, a feedback loop evolves the prompt itself — mutating and scoring natural-language inputs until the model actually triggers the vulnerable call and emits a real proof-of-concept. That is the difference between a warning and a CVE, and it is why 67 of these are now tracked bugs rather than lint noise. (An earlier framework, MCPGuard, showed the static half of this idea; VIPER's contribution is closing the loop on exploitability.)

The exposure multiplier#

A command-injection bug in a script nobody can reach is a curiosity. These are not that. In late April 2026, Censys counted 12,520 internet-exposed MCP services — and roughly 40% of them had no authentication at all. Within about a week that exposed count had more than doubled. MCP was designed for local, trusted-network use; the spec never required auth, and the deployment reality has raced ahead of that assumption. A registry audit earlier in the year found a near-identical 41% of official servers shipping without authentication.

Stack the two findings together and the picture is unpleasant: a large, fast-growing population of servers, a substantial fraction reachable without credentials, running handler code that an automated tool can break in bulk. OWASP's 2026 data still puts prompt injection at the top of production agentic failures — but that is the failure people are watching for. The taint-style bugs are the ones shipping quietly underneath.

What to actually do#

The fix is not novel, which is precisely the point. If you run an MCP server:

The MCP ecosystem spent its first year worrying that models would be talked into doing something bad. VIPER-MCP is a reminder that the older worry never left: sometimes the model doesn't need to be tricked at all. It just needs a handler that forgot to check its inputs.