The Protocol Nobody Secured
The Model Context Protocol — MCP — is Anthropic's standard for connecting AI agents to tools, data sources, and each other. It is rapidly becoming the plumbing of the agentic web: the interface through which AI coding agents access filesystems, AI browsing agents access databases, and AI defense agents monitor infrastructure. If HTTP is the protocol of the human web, MCP is the protocol of the machine web.
HTTP got TLS. MCP got 200,000 open doors.
The Numbers
OX Security disclosed what they called 'The Mother of All AI Supply Chains' — a systemic architectural vulnerability at MCP's core. The STDIO transport, MCP's default mechanism for connecting agents to local tools, executes operating system commands without sanitization or validation. Pass a malicious command, receive an error — the command still runs. This flaw enables arbitrary remote code execution on any system running a vulnerable MCP implementation.
The scale: 200,000+ vulnerable instances across a supply chain encompassing more than 150 million package downloads. Trend Micro found 492 MCP servers directly exposed to the internet with zero authentication. A broader scan of 7,000+ MCP servers found 36.7% lacked URI restrictions — any connected agent could read any file, execute any command.
What Was Exposed
Default MCP configurations bind admin panels to 0.0.0.0:8080 — publicly accessible from first deployment. The exposed instances revealed: full agent conversation histories including sensitive data processed by the AI, environment variables containing OpenAI API keys, database credentials, and internal service tokens, and tool configurations showing which tools agents could invoke — including shell_execute and file_write.
Four distinct exploitation families have been documented: unauthenticated UI injection in popular AI frameworks, hardening bypasses in 'protected' environments, zero-click prompt injection in leading AI IDEs including Windsurf and Cursor, and malicious marketplace distribution through MCP server registries. In one reported incident, a booby-trapped PDF activated a Claude MCP connection at an industrial facility — triggering a physical pump.
The Pentagon Responded
The NSA published a security advisory on MCP in May 2026 — a formal Cybersecurity Information Sheet specifically addressing Model Context Protocol deployment risks. The Pentagon designated Anthropic — MCP's creator — a 'supply chain risk,' the first time an American technology company has received that classification from the Department of Defense.
Anthropic's response to the architectural criticism: they declined to modify the protocol, citing the behavior as 'expected.' The STDIO command execution without sanitization is not a bug — it's by design. The protocol's creator considers unrestricted command execution a feature. The Pentagon considers it a supply chain risk. Both are correct about what they're describing. They're describing different things.
The Machine Web Parallel
WebPulse has documented the emergence of the machine-to-machine web: 57.4% bot traffic, 100 trillion tokens per month, AI agents that visit 1,000x more pages than humans. What we haven't documented until now is the infrastructure layer underneath that machine web — and how completely unsecured it is.
MCP is to agentic AI what HTTP was to the web in 1995. The protocol that connects everything. The difference: when HTTP was the web's backbone, the worst attack was defacing a page. When MCP is the machine web's backbone, a compromised server grants access to every tool, credential, and conversation the AI agent touches. The blast radius is the agent's entire capability set.
The human web took 20 years to get HTTPS adoption above 80%. The machine web is being built on a protocol with no authentication layer, no encryption standard, and 200,000 instances already deployed without basic access controls. We are repeating the exact same architectural mistake — at machine speed.
The Framework Connection
Every modern development workflow now involves MCP. Claude Code uses MCP to connect to tools. Cursor uses MCP for IDE integrations. GitHub Copilot uses MCP for repository access. The AI coding agents building the web — the agents that chose React, Next.js, FastAPI, Astro — run on MCP. The protocol's insecurity is the development workflow's insecurity.
WordPress sites maintained through wp-admin don't use MCP. Hugo sites built by running a Go binary don't use MCP. The frameworks least connected to the AI development ecosystem are the frameworks least exposed to MCP's architectural vulnerabilities. Once again, the most modern workflows carry the most novel attack surfaces.
The web was built for humans on HTTP without security. It took two decades to fix. The machine web is being built for AI agents on MCP without security. The question is whether the fix will take two decades — or whether the machine web's speed means the exploitation will be two decades' worth of damage compressed into months.
