36% of AI agent servers are hackable and nobody is checking
Everyone talks about AI agents as the next productivity revolution. Companies race to deploy them for customer service, procurement, coding, research. The pitch is irresistible: autonomous software that thinks, decides, and acts on your behalf.
What almost nobody mentions is the infrastructure these agents run on. And that infrastructure is alarmingly broken.
36.7% of MCP servers are vulnerable to attack
The Model Context Protocol (MCP) is the connective tissue between AI agents and the tools they use. It lets agents read files, query databases, call APIs, and execute code. Security researchers at Equixly scanned over 7,000 MCP servers and found that 36.7% were vulnerable to server-side request forgery (SSRF), a class of attack where a server is tricked into accessing internal resources it should never touch.
In a proof-of-concept against Microsoft’s MarkItDown MCP server, researchers retrieved AWS IAM access keys, secret keys, and session tokens from an EC2 instance metadata endpoint. That is not a theoretical risk. That is full cloud account takeover.
Trend Micro separately found 492 MCP servers exposed to the internet with zero authentication. No passwords. No tokens. Just open doors.
The AI agent skills marketplace is already compromised
If vulnerable servers were the only problem, it would be manageable. But the supply chain itself is poisoned.
Snyk’s ToxicSkills study scanned 3,984 agent skills from ClawHub (the largest marketplace for AI agent capabilities) and found that 36% contained prompt injection techniques. Among those, 1,467 carried active malicious payloads. A total of 534 skills, roughly 13.4%, had at least one critical-level security issue: malware distribution, credential theft, or backdoor installation.
Every confirmed malicious skill combined code-level payloads with prompt injection, attacking both the software layer and the natural language instruction layer simultaneously. Your AI agents can be hijacked 92% of the time through prompt injection alone. Add a compromised skill on top, and the attacker controls the agent completely.
One compromised agent cost a manufacturer $3.2 million in 72 hours
A mid-market manufacturer deployed an agent-based procurement system. Attackers compromised the vendor validation agent through a supply chain attack on the AI model provider. The agent began approving orders from shell companies controlled by the attackers.
Because multi-agent systems cascade decisions downstream, the payment agent processed every fraudulent order automatically. By the time inventory counts revealed the discrepancy, $3.2 million had been wired to accounts the company could not recover.
The root cause: a single compromised agent in a chain where no agent verified the others. This is the pattern security researchers keep warning about. When 65% of companies have zero defense against prompt injection, agent-to-agent trust becomes the weakest link.
Why nobody is checking
The MCP ecosystem has no mandatory security review process. Between January and February 2026 alone, researchers filed over 30 CVEs targeting MCP servers, clients, and infrastructure. Among 2,614 MCP implementations surveyed, 82% use file operations vulnerable to path traversal attacks. The vulnerabilities are not exotic. They are the same OWASP Top 10 flaws that web applications have fought for two decades: injection, broken authentication, SSRF.
The difference is speed. AI-powered attacks outrun security teams in 29 minutes, and MCP servers give attackers a direct channel into your cloud infrastructure, databases, and internal APIs.
Companies adopting AI agents without auditing their MCP servers are doing the equivalent of connecting every internal system to the public internet with no firewall. The shadow AI problem costing enterprises $4.2M per breach is about to get significantly worse.
What you should do right now
Three steps, starting today. First, audit every MCP server your organization connects to. Check for SSRF, path traversal, and authentication gaps. The Vulnerable MCP Project maintains a searchable database of known issues.
Second, treat AI agent skills like third-party code dependencies. Scan them before installation. Snyk’s research shows that visual inspection catches almost nothing; automated scanning is the minimum baseline.
Third, implement agent-to-agent verification. No single agent should have the authority to approve financial transactions, access credentials, or modify infrastructure without independent confirmation from a second, isolated agent.
The AI agent revolution is real. But so is the supply chain crisis underneath it. The companies that survive will be the ones that treated their AI infrastructure with the same rigor they apply to every other piece of critical software.
Related reading:
Sources and References
- BlueRock MCP Trust Registry: 36.7% of MCP Servers Exposed to SSRF — BlueRock Security analyzed 7,000+ MCP servers and found 36.7% potentially vulnerable to SSRF attacks, including a proof-of-concept against Markitdown MCP that retrieved AWS IAM credentials.
- MCP Security 2026: 30 CVEs in 60 Days — Between Jan-Feb 2026, 30+ CVEs were filed against MCP servers. 43% were exec/shell injection, 20% tooling infrastructure flaws, 13% authentication bypass.
- Three Flaws in Anthropic MCP Git Server Enable Code Execution — CVE-2025-68143/68144/68145 in Anthropic official Git MCP server enabled remote code execution via prompt injection.
- OWASP MCP Top 10 — OWASP published the MCP Top 10 security framework covering model misbinding, context spoofing, prompt-state manipulation, and covert channel abuse.
Read about our editorial standards →
