Over the past few months we’ve been running the MCP Trust Registry, an open scanning project looking at security posture across publicly available MCP server builds.

We’ve analyzed 8,000+ servers so far using 22 rules mapped to the OWASP MCP Top 10.

Some findings:

• ~36.7% exposed unbounded URI handling → SSRF risk (same class of issue we disclosed in Microsoft’s Markitdown MCP server that allowed retrieval of instance metadata credentials)
• ~43% had command execution paths that could potentially be abused
• ~9.2% included critical-severity findings

We just added private repo scanning for teams running internal MCP servers. Same analysis, same evidence depth. Most enterprise MCP adoption is internal, so this was the #1 request.

Interested to know what security review processes others have for MCP servers, if any. The gap we keep seeing isn’t intent, it’s that MCP is new enough that standard security gates haven’t caught up.

Happy to share methodology details or specific vuln patterns if useful.