Model Context Protocol has a security problem that won’t go away.When VentureBeat first reported on MCP’s vulnerabilities last October, the data was already alarming. Pynt’s research showed that deploying just 10 MCP plug-ins creates a 92% probability of exploitation — with meaningful risk even from a single plug-in.The core flaw hasn’t changed: MCP shipped without mandatory authentication. Authorization frameworks arrived six months after widespread deployment. As Merritt Baer, chief security officer at Enkrypt AI, warned at the time: “MCP is shipping with the same mistake we’ve seen in every major protocol rollout: insecure defaults. If we don’t build authentication and least privilege in from day one, we’ll be cleaning up breaches for the next decade.”Three months later, the cleanup has already begun — and it’s worse than expected.Clawdbot changed the threat model. The viral personal AI assistant that can clear inboxes and write code overnight runs entirely on MCP. Every developer who spun up a Clawdbot on a VPS without reading the security docs just exposed their company to the protocol’s full attack surface.Itamar Golan saw it coming. He sold Prompt Security to SentinelOne for an estimated $250 million last year. This week, he posted a warning on X: “Disaster is coming. Thousands of Clawdbots are live right now on VPSs … with open ports to the internet … and zero authentication. This is going to get ugly.”He’s not exaggerating. When Knostic scanned the internet, they found 1,862 MCP servers exposed with no authentication. They tested 119. Every server responded without requiring credentials.Anything Clawdbot can automate, attackers can weaponize.Three CVEs are exposing the same architectural flawThe vulnerabilities aren’t edge cases. They’re direct consequences of MCP’s design decisions. Here’s a brief description of the workflows that expose each of the following CVEs:CVE-2025-49596 (CVSS 9.4): Anthropic’s MCP Inspector exposed unauthenticated access between its web UI and proxy server, allowing full system compromise via a malicious webpage.CVE-2025-6514 (CVSS 9.6): Command injec …
