Back to Blog
July 9, 2026Securix Team

MCP You Can Trust

A study of 9,695 MCP servers found most are vulnerable, and popularity doesn't predict safety. Here's why SecuriX's MCP is safe by design—auth, policy, PII redaction, and audit built in.

The pitch for the Model Context Protocol is that any AI agent can plug into any tool, database, or API through one standard interface. The uncomfortable follow-up question is the one almost nobody asks before wiring an agent to a public MCP server: is that server actually safe? A new large-scale study says that for most of them, the honest answer is no—and that the signals people use to decide, like GitHub stars and "verified" badges, tell you almost nothing about the risk.

MCP You Can Trust

Researchers at Trend AI Security (Trend Micro's AI security arm) crawled four of the most popular MCP directories—GitHub, Glama, Lobehub, and PulseMCP—between November 2025 and March 2026 and analyzed 9,695 MCP servers. The result, published in June 2026 under the pointed title "Stars Don't Save You: Popularity Is Not Security in the MCP Ecosystem," is one of the first ecosystem-wide looks at MCP security. It is not reassuring.

The Headline Numbers

Of the 9,695 servers examined, 5,832 carried at least one security issue, and 2,259 contained confirmed, exploitable vulnerabilities. In total the study catalogued 4,982 distinct security findings. This is not a handful of bad actors on the fringe of the ecosystem—it is the majority of the servers agents are being pointed at every day.

MCP servers are uniquely dangerous when they go wrong because of what they connect to. An MCP server is the bridge between an autonomous AI agent and sensitive resources: file systems, databases, internal APIs, and cloud environments. A vulnerability in an ordinary web app exposes that app. A vulnerability in an MCP server hands an attacker a path—through the agent—into whatever the server was privileged to touch.

What the Vulnerabilities Actually Are

The findings are not exotic, AI-specific novelties. They are the same input-validation and authentication failures that have plagued software for decades, now sitting directly in the path of autonomous agents. The distribution of the 4,982 findings:

Vulnerability classFindings
No authentication mechanism2,054
Arbitrary file access880
Denial-of-service490
Command injection476
Server-side request forgery (SSRF)422
SQL injection211
Prompt injection (malicious behavior)185
Cross-site scripting155
Code injection (vulnerable by design)101
Authorization bypass8

The single largest category is the most damning: 2,054 servers ship with no authentication at all. Anyone who can reach the endpoint can drive it. Worse, the report notes that these weaknesses tend to cluster—arbitrary file access frequently co-occurs with missing authentication—which points to systemic failures in secure design rather than isolated coding slips. When a server has one of these problems, it often has several.

The Real Point: Popularity Is Not a Security Signal

The most important finding is not a raw count—it is a demolition of the heuristics people actually use to trust an MCP server:

  • Stars don't correlate with safety. High-popularity servers (50+ stars) were not meaningfully safer than obscure ones. Mid-tier projects (10–49 stars) showed the highest diversity of vulnerabilities by volume.
  • Activity doesn't correlate with safety. Highly active repositories with 100+ commits had vulnerability rates comparable to barely-maintained ones. A busy commit history is not a security posture.
  • Verification badges don't correlate with safety. "Verified" servers averaged nearly as many security issues as unverified ones.
Trust signal people rely onWhat the data shows
GitHub starsNo reliable link to security; popular ≠ safe
Commit activity100+ commit projects just as vulnerable
Verification badgeVerified servers ≈ as many issues as unverified
Adoption / downloadsWidest adoption = largest blast radius

That last row is the sting in the tail. Popularity doesn't just fail to indicate safety—it actively amplifies risk. The report frames this as "severity-weighted reach": a vulnerable server with tens of thousands of installs creates disproportionate systemic exposure, because a single flaw is now replicated across every organization that trusted the star count. The researchers found vulnerable servers spanning cryptocurrency and DeFi tooling (some enabling remote code execution), office automation software, and enterprise applications exposing SQL injection and unauthenticated Active Directory queries—precisely the kind of supply-chain risk that scales with popularity.

Why SecuriX's MCP Is Safe by Design

At SecuriX we evaluate every agent capability through one question: what happens when it is wrong, hijacked, or abused? This study is the ecosystem-wide answer, and it is exactly the failure mode SecuriX was built to remove. The problem the report describes is what happens when an agent talks to a raw, third-party MCP server directly. SecuriX is built on the opposite assumption: no MCP server is trusted on its own.

When you connect through SecuriX, your agents never speak to a raw server. They speak to a single, governed SecuriX MCP endpoint, and SecuriX enforces—by default—the controls this study found missing across thousands of servers. The safety is not optional or bolted on. It is the connection.

Here is how each category the report flags maps directly to a built-in SecuriX control:

What the study found brokenHow SecuriX handles it by default
No authentication (2,054 servers)Authentication and access control are enforced at the SecuriX layer. Every agent connects through a governed MCP URL with SSO identity attribution—MCP auth is done for you, so an unauthenticated provider never means an unauthenticated agent.
Command / SQL / code injectionDeterministic OPA Rego Policy-as-Code inspects the structure of every request before it reaches the provider. Calls outside policy are blocked, not forwarded.
SSRF / arbitrary file accessLeast-privilege scoping means an agent gets only the exact tools and actions you granted—it cannot reach files, hosts, or resources outside its policy.
Prompt injection / hijacked agentBecause policies are deterministic, a hallucinating or injected agent still cannot exceed what policy allows. And a centralized kill switch severs any connection from one dashboard.
PII / sensitive-data leakageThe DLP engine redacts credit cards (Luhn-validated), SSNs, phone numbers, emails, and API keys on both the request and the tool response—before the model ever sees them.
No audit trailEvery call is captured in a unified, immutable audit trail attributed to an identity, so you can always answer what an agent did.
Popularity = blast radiusOne control plane, one place to see everything and revoke instantly—no per-provider logins, no scattered logs.

The study's own recommendation—"abandon trust-based assumptions… and adopt a zero-trust approach," enforce authentication and least privilege, validate inputs, and inspect traffic—reads like a description of how SecuriX already works. That is not a coincidence. It is the exact architecture we ship.

This is why the MCP providers and tools SecuriX offers—Gmail, Drive, Calendar, and the curated connectors behind a SecuriX Secure MCP URL—are safe to use. They run inside this same governed layer: every request and response passes Rego policy enforcement and DLP redaction, every call is authenticated and logged, and any connection can be killed in one click. You are not choosing a server off a directory and hoping the star count means something. You are connecting through a boundary where the controls the ecosystem is missing are the defaults.

The MCP ecosystem grew faster than its security. This study is the proof. You do not have to audit 9,695 servers or gamble on a badge—you put SecuriX in front, and every connection becomes governed, authenticated, and auditable by default.

Credits & Source

The data and findings in this article are drawn from reporting by GBHackers on the Trend AI Security research report "Stars Don't Save You: Popularity Is Not Security in the MCP Ecosystem." Full credit to the Trend AI Security team for conducting and publishing the study. The security commentary and recommendations framing in this post are our own.


Connecting agents to MCP servers? Don't gamble on a star count. SecuriX's MCP providers and tools are safe by design—authentication is handled for you, every tool call is checked against deterministic policy, PII is redacted on the way in and out, and every request is logged and revocable. Set up your first governed, authenticated MCP connection in seconds at https://dash.securix.app.

Community Forum

Questions, Feedback & Discussions

Join the conversation

Recent Discussions 0 Comments

No questions yet. Be the first!