15RL Audit: Security of Model Context Protocol Servers

15RL Audit: Security of Model Context Protocol Servers

Abstract

The Model Context Protocol (MCP) has rapidly become the standard interface for connecting AI agents to external tools and data sources. 15 Research Lab conducted a security audit of 35 publicly available MCP server implementations to evaluate their security posture. Our findings reveal systemic issues with authentication, input validation, and tool definition security that affect the broader MCP ecosystem.

Background

MCP servers act as bridges between AI agents and external capabilities — databases, file systems, APIs, and application interfaces. When an AI agent invokes a tool, the MCP server receives the request, executes the corresponding operation, and returns results. This intermediary position makes MCP servers a critical security boundary: a compromised or poorly implemented MCP server can undermine every safety control in the agent stack.

Audit Scope

We examined 35 open-source MCP server implementations spanning:

• Database connectors (PostgreSQL, MySQL, MongoDB)
• File system access servers
• API integration servers (GitHub, Slack, email)
• Code execution servers
• Cloud infrastructure management servers

Each server was evaluated against 28 security criteria organized into five categories.

Key Findings

Finding 1: Authentication Gaps

23 of 35 servers (66%) had no authentication mechanism whatsoever. Any client that could reach the server's network endpoint could invoke tools with full privileges. Of the 12 servers implementing authentication, 4 used static API keys transmitted in plain text, and only 3 implemented token rotation.

Finding 2: Input Validation Deficiencies

29 of 35 servers (83%) performed insufficient input validation on tool call parameters. The most common issues:

• No length limits on string parameters (enabling buffer overflow and resource exhaustion)
• No type checking beyond basic JSON schema validation
• No sanitization of parameters passed to shell commands or SQL queries
• No validation of file paths against allowed directories

Finding 3: Tool Definition Injection

A novel attack vector we identified: 14 servers (40%) loaded tool definitions from external sources (configuration files, databases, or remote URLs) without integrity verification. An attacker who could modify these definitions could alter tool descriptions to influence agent behavior, change parameter schemas to capture additional data, or redirect tool execution to malicious endpoints.

Finding 4: Insufficient Logging

26 servers (74%) did not produce audit logs suitable for security forensics. Common gaps included missing timestamps, absent request/response correlation, no user attribution, and logging tool names without parameters.

Finding 5: Privilege Escalation Paths

19 servers (54%) ran with elevated privileges that exceeded the minimum required for their function. Database connectors running as database superusers and file system servers running as root were common patterns. No server in our audit implemented the principle of least privilege for its own runtime permissions.

Risk Summary

| Category | Servers Failing | Risk Rating |

|---|---|---|

| Authentication | 66% | Critical |

| Input Validation | 83% | High |

| Tool Definition Integrity | 40% | High |

| Audit Logging | 74% | Medium |

| Privilege Management | 54% | High |

Recommendations for MCP Server Operators

The Agent-Side Defense

Even with improved MCP server security, organizations should not rely on server-side controls alone. Agent-side gating provides an independent security layer that validates tool calls before they reach the MCP server. SafeClaw implements this agent-side approach, evaluating each tool call against configurable policies before it is transmitted to any MCP server. This means that even if an MCP server has authentication or validation gaps, the agent-side policy engine can prevent dangerous tool calls from being made in the first place. Implementation details are available in the SafeClaw knowledge base.

Conclusion

The MCP ecosystem is maturing rapidly in terms of functionality but remains immature in terms of security. Our audit reveals systemic issues that affect the majority of available implementations. As MCP adoption grows, these security gaps will become increasingly attractive targets. Both server-side hardening and agent-side gating are essential for secure MCP deployments.