MCP security is now a must-fix issue: 4,982 flaws, 85% hijack rate

A security sweep of servers has surfaced a wave of serious problems. Trend Micro scanned 9,695 public MCP servers and found exploitable flaws in 2,259 of them, adding up to 4,982 vulnerabilities overall.

The most common issue was servers with no authentication at all (2,054), followed by arbitrary file access (880), (476), server-side request forgery or SSRF (422), SQL injection (211), and (185). Tenet Security disclosed an 'agentjacking' technique that abuses publicly exposed Sentry DSNs (error-tracking connection strings) to inject malicious instructions into coding agents, working 85% of the time against Claude Code, Cursor, and Codex, with 2,388 organizations found to have injectable DSNs.

A worm dubbed 'Miasma,' found by TeamPCP/UNC6780, planted malicious MCP s in 73 , including 's durabletask, so that simply opening the repo runs the payload with no warning. A Kubernetes-focused MCP server also carries CVE-2026-61459, rated CVSS 9.3 (critical): attackers can manipulate resourceType and name parameters to hijack kubectl commands, steal bearer tokens, and take over entire clusters, and a working (PoC) is already public.

Key points

  • Trend Micro found exploitable flaws in 2,259 of 9,695 scanned public MCP servers, 4,982 vulnerabilities total
  • Breakdown includes 2,054 servers with no authentication, 880 with arbitrary file access, 476 with
  • 'Agentjacking' via exposed Sentry DSNs hits Claude Code, Cursor, and Codex 85% of the time; 2,388 orgs exposed
  • The 'Miasma' worm planted malicious MCP configs in 73 GitHub repos, including 's durabletask
  • CVE-2026-61459 (CVSS 9.3, critical) lets attackers hijack Kubernetes MCP servers to steal tokens and take over clusters; a PoC is public
Read original