MCP shipped without authentication. Clawdbot shows why that's a problem.

Model Context Protocol (MCP) continues to face a significant security challenge that shows no signs of abating. Last October, VentureBeat highlighted MCP’s vulnerabilities, with Pynt’s research revealing that deploying just 10 MCP plug-ins poses a 92% likelihood of exploitation, even with a single plug-in in use.

The fundamental issue remains the same: MCP was initially released without mandatory authentication, with authorization frameworks only being introduced six months after widespread deployment. Merritt Baer, Chief Security Officer at Enkrypt AI, cautioned early on about the risks associated with insecure defaults in MCP. Without authentication and least privilege measures from the outset, the potential for breaches looms large for the foreseeable future.

Recent developments have proven Baer’s concerns to be well-founded. Clawdbot, a popular personal AI assistant capable of automating tasks like inbox management and coding, operates exclusively on MCP. Unfortunately, many developers inadvertently exposed their organizations to MCP’s vulnerabilities by setting up Clawdbot instances on virtual private servers without fully understanding the security implications.

Itamar Golan, who sold Prompt Security to SentinelOne for an estimated $250 million, issued a stark warning about the situation. Thousands of Clawdbots are currently active on VPSs, lacking authentication and leaving open ports to the internet, setting the stage for potential security disasters.

A scan conducted by Knostic uncovered 1,862 MCP servers exposed without authentication, with each server responding to queries without requiring credentials. This lack of authentication has paved the way for attackers to exploit the system’s functionalities, turning automated processes into potential weapons for malicious activities.

Several critical vulnerabilities have surfaced in recent months, each stemming from MCP’s design decisions that treated authentication as optional rather than necessary. The vulnerabilities, including CVE-2025-49596, CVE-2025-6514, and CVE-2025-52882, showcase different attack vectors that leverage the absence of mandatory authentication in MCP.

Equixly’s analysis of popular MCP implementations revealed additional vulnerabilities, such as command injection flaws, unrestricted URL fetching, and unauthorized file access. These security gaps raise concerns about the ease with which threat actors could infiltrate systems and execute malicious activities.

Security experts recommend taking proactive measures to address MCP’s vulnerabilities, including conducting an inventory of MCP exposure, enforcing mandatory authentication, restricting network exposure, anticipating prompt injection attacks, and implementing human approval for high-risk actions performed by AI agents.

Despite efforts by security vendors to address MCP risks, many organizations have been slow to implement adequate security measures. The surge in Clawdbot adoption in late 2025 has outpaced the development of AI agent controls in many enterprises’ 2026 security roadmaps, leaving a significant governance gap that malicious actors could exploit.

As the security landscape surrounding MCP continues to evolve, organizations must prioritize securing their MCP exposure to prevent potential exploitation and safeguard sensitive data from unauthorized access. Failure to address these vulnerabilities promptly could lead to severe consequences for businesses and their stakeholders.