No Auth, No Control: MCP Servers Found Exposing Internal Tools, Data, and APIs Publicly

In a investigation led by cybersecurity firm Knostic, researchers discovered a concerning lack of authentication across a broad range of Model Context Protocol (MCP) servers. Their scans revealed “a total of 1,862 MCP servers exposed to the internet,” representing a wide range of industries deploying AI-connected infrastructure without sufficient access controls. MCP servers are used to connect AI models to operational tools and databases, enabling programmatic execution of real-world functions via APIs. While useful, these servers often lack basic protections. A sample of 119 servers was analyzed more deeply, and “all 119 servers allowed access to internal tool listings without authentication.” This finding shows a systemic pattern of insecure configuration among publicly exposed deployments, leaving them vulnerable to misuse.

Knostic’s identification process involved a scanning method using Shodan, Python-based tooling, and fingerprinting. Researchers sought protocol-specific traits such as JSON-RPC responses and SSE headers, and validated MCP compliance through handshake routines and endpoint probing. The presence of endpoints like "/mcp," "/api/mcp," and "/sse" combined with expected server responses confirmed the exposure. One of the researchers noted that many servers publicly revealed connectors to sensitive systems—such as internal productivity dashboards, legal databases, and even cloud service management interfaces. Although the team avoided invoking any tools to prevent unintended side effects, their read-only queries were enough to assess that many deployments are fully accessible and configured to accept arbitrary commands.

The implications are severe. Unauthenticated MCP servers expose sensitive data, enable unauthorized system control, and open doors to financial and operational damage. Attackers could exfiltrate private data, extract API credentials, or exploit tool integrations to perform cost-amplifying actions—like spinning up expensive compute resources. This design flaw, inherited from MCP’s early specifications, makes the absence of access controls a widespread and critical issue.