Annual Report First Edition

The State of MCP 2026

An annual review of the Model Context Protocol ecosystem: adoption, governance, threat landscape and the emerging security stack.

June 2026 10 pages 18 min read

By Sascha, Founder

In eighteen months, the Model Context Protocol went from an open-source announcement to the default integration layer between AI agents and the systems they act on. Security has not kept pace. This first annual edition closes that gap with data — mapping adoption, governance, the threat landscape and the defense stack now forming around MCP.

MCP has won the integration layer. The open question is whether the ecosystem secures it by design — or after the first large-scale incident forces the issue.

The numbers

10,000+

active public MCP servers reported at the Linux Foundation donation

Dec 2025

97M

monthly SDK downloads, Python + TypeScript

Mar 2026

41%

of surveyed software organizations running MCP in production

Stacklok 2026

50+

known MCP vulnerabilities tracked — 13 rated critical

Vulnerable MCP Project

82%

of 2,614 analyzed implementations use traversal-prone file operations

Endor Labs

36.7%

of 7,000+ analyzed servers potentially vulnerable to SSRF

BlueRock Security

From the founder's letter

When Anthropic introduced MCP in November 2024, it solved an integration problem: expose capabilities once, and every compatible client can consume them. The market answered decisively. By the time the protocol was donated to the Linux Foundation's Agentic AI Foundation in December 2025, more than 10,000 active public servers were running, and monthly SDK downloads reached roughly 97 million by March 2026 — up from about 100,000 in the launch month.

That growth created something the security industry has seen before: a protocol that became critical infrastructure faster than the practices around it could mature. Every MCP server is executable code with runtime privileges, pulled from registries with uneven review, speaking to agents that treat tool metadata as trusted input.

Our position for 2026 is straightforward. The defense stack — gateways, scanners, runtime policy enforcement — exists today. Adoption of that stack, not invention of it, is the bottleneck.

Inside this report

MCP was introduced by Anthropic on November 25, 2024 as an open, JSON-RPC-2.0-based standard for connecting language models to external tools, data sources and services. Within thirteen months it was adopted or supported by OpenAI, Google DeepMind, Microsoft, Salesforce, Block, Cloudflare and Replit, and embedded natively in tools such as Cursor, Zed, Windsurf and VS Code.

The decisive governance event came in December 2025, when Anthropic donated MCP to the Agentic AI Foundation under the Linux Foundation — converting a vendor-controlled specification into a community-governed standard. The 2025-11-25 revision formalized OAuth 2.1 for remote servers, the protocol's most significant security hardening step to date.

Server counts depend on who is counting. The official MCP Registry held roughly 9,650 latest server records in May 2026; community indices run larger — PulseMCP lists more than 15,900 and GitHub shows nearly 16,000 repositories tagged mcp-server. The honest summary: well over ten thousand distinct public servers exist, the indices overlap, and quality varies enormously.

Scale has surfaced structural friction. At Ask 2026, Perplexity's CTO reported that MCP tool descriptions can consume 40–50% of an agent's context window before any work begins — a 'context tax' that led the company to partially withdraw MCP internally. The community response is the gateway pattern, which reduces context usage to an estimated 5–15%.

Tool poisoning is an indirect prompt injection attack in which instructions are hidden inside tool metadata or responses. Descriptions enter the agent's context window as trusted content; an attacker who controls one can embed instructions the model reads and acts on. Invariant Labs demonstrated the class in April 2025; OWASP now documents it as a named pattern. What distinguishes it from classic prompt injection is persistence — a poisoned description fires on every invocation, for every user, silently, until someone notices.

The 2026 incident record reads like the npm ecosystem's early years replayed at higher speed: registry poisoning against agent skill marketplaces, malicious configuration files, and a disclosure exposing up to 200,000 vulnerable MCP instances — including a CVSS 9.6 remote code execution flaw in a package downloaded nearly half a million times.

BlueRock Security found 36.7% of 7,000+ servers potentially vulnerable to SSRF; in one proof of concept, researchers retrieved AWS IAM credentials from an EC2 metadata endpoint. Combined with Endor Labs' finding that 82% of implementations use traversal-prone file operations, the pattern is clear: most public MCP servers were written as integrations, not as the security-sensitive network services they actually are.

The defensive market has organized into three complementary layers: network allowlists and control-plane tools that restrict where agents can reach; MCP gateways that centralize routing, policy and authentication; and inspection/runtime scanners that analyze server code, tool metadata and live behavior. No single layer is sufficient — defense in depth is what limits blast radius.

NIST launched its AI Agent Standards Initiative in February 2026, with an interoperability profile expected in Q4 2026. Until then, the OWASP MCP Top 10 and the protocol's own OAuth 2.1 requirements are the closest things to a baseline. Organizations deploying MCP today should treat agents as privileged identities.

codelake approaches MCP security from the supply chain inward: mcpscanner performs static and metadata analysis before a server reaches an agent; PromptGate enforces policy at runtime. codelake Research operates a continuous registry-monitoring pipeline with multi-stage verification, publishing advisories under the CLR-YYYY-NNNN scheme in OSV-compatible format.

We expect the official MCP Registry to consolidate as the canonical index while community registries differentiate on curation. The gateway pattern will become the default enterprise topology, driven equally by the context-tax problem and by audit requirements.

On the threat side, we expect registry poisoning campaigns to grow in sophistication, following the trajectory npm and PyPI established — and we expect the first widely reported enterprise breach with an MCP server as initial access vector within the next twelve months.

The NIST interoperability profile and a maturing OWASP MCP Top 10 will give buyers their first real compliance anchors; we anticipate MCP security requirements appearing in enterprise procurement checklists by early 2027.

The OWASP MCP Top 10

codelake maps all advisories and scanner findings to these categories.

ID	Risk category	What it means in practice
MCP01	Token Mismanagement & Secret Exposure	Credentials embedded in configs, leaked via logs or tool output.
MCP02	Privilege Escalation via Scope Creep	Agents accumulating permissions far beyond the task at hand.
MCP03	Tool Poisoning	Hidden instructions in tool descriptions and responses.
MCP04	Software Supply Chain Attacks	Malicious or compromised servers distributed through registries.
MCP05	Command Injection & Execution	Unsanitized parameters reaching shells and interpreters.
MCP06	Intent Flow Subversion	Manipulating the agent's plan between user intent and execution.
MCP07	Insufficient Authentication & Authorization	Unauthenticated remote servers; missing OAuth 2.1 adoption.
MCP08	Lack of Audit & Telemetry	No forensic trail of what agents did, with which tools, and why.
MCP09	Shadow MCP Servers	Unsanctioned servers running inside the enterprise perimeter.
MCP10	Context Injection & Over-Sharing	Sensitive data flowing into model context without controls.

Data appendix · key indicators

Indicator	Value	As of	Primary source
Active public MCP servers (reported)	10,000+	Dec 2025	Anthropic ecosystem update
Official MCP Registry, latest server records	9,652	May 2026	MCP Registry API pull
Official MCP Registry, incl. versions	28,959	May 2026	MCP Registry API pull
GitHub repositories, mcp-server topic	15,926	May 2026	GitHub Search API
PulseMCP indexed servers	15,930+	May 2026	PulseMCP
Monthly SDK downloads (Py + TS)	~97M	Mar 2026	npm / PyPI download data
Orgs with MCP in production (survey)	41%	2026	Stacklok software report
Known MCP vulnerabilities tracked	50+ (13 critical)	Apr 2026	Vulnerable MCP Project
Implementations w/ traversal-prone file ops	82% of 2,614	2026	Endor Labs
Servers potentially SSRF-vulnerable	36.7% of 7,000+	2026	BlueRock Security
Exposed vulnerable MCP instances (disclosure)	up to 200,000	2026	Public disclosure reporting

Registry counts overlap across indices and must not be summed. Survey figures reflect the cited sample, not the global population.

Selected sources

Anthropic MCP ecosystem update · Linux Foundation / Agentic AI Foundation · Official MCP Registry API · Stacklok 2026 software report · Endor Labs · BlueRock Security · Vulnerable MCP Project · OWASP MCP Top 10 (beta) · Invariant Labs · NIST AI Agent Standards Initiative · public CVE databases.