VIPER-MCP: 67 CVEs from taint-style flaws across 40,000 MCP servers

What is this?

On May 20, 2026, a team from the paper’s author group (Pengyu Sun, Qishu Jin, Enhao Huang, Zifeng Kang, Xin Liu, Dakun Shen and Song Li) published VIPER-MCP on arXiv (cs.CR, 2605.21392). It is an automated auditing framework for Model Context Protocol (MCP) servers — the small programs that expose tools (shell commands, HTTP requests, file access, database queries) to an LLM agent.

The headline numbers: in a scan of 39,884 real-world open-source MCP server repositories, VIPER-MCP found 106 zero-day vulnerabilities, confirmed every one of them with an end-to-end exploit trace, and has had 67 CVE IDs assigned so far. The authors state all confirmed findings were responsibly disclosed to the affected developers. We are covering this not because any single bug is novel — they are classic injection-class flaws — but because the measurement quantifies a pattern the MCP ecosystem has been carrying since it started growing: an agent’s natural-language input flowing, unsanitised, into a security-sensitive sink.

How it works

A “taint-style” vulnerability is a path where attacker-controlled input (the source) reaches a dangerous operation (the sink) without adequate validation in between. In an MCP server the source is a tool argument the model fills in; the sink is whatever the tool handler does with it. When that handler shells out, opens a socket, builds a file path, or assembles a query, an unconstrained argument becomes command injection, SSRF, path traversal, or SQL injection — and because MCP tools run with the server’s privileges, the end state is often remote code execution. This is the same class as the Akamai MCP back-end findings and the same boundary crossing Microsoft documented when prompts became shells.

VIPER-MCP’s contribution is making this auditable at scale without drowning in false positives. It combines two passes, described here at the level of method, not payload:

Stage                 What it does
--------------------  ----------------------------------------------------------
Two-pass static scan  Standard taint analysis flags candidate source->sink paths,
                      then an "anchor-query" pass adds function-level structure so
                      a file-level alert resolves to a specific MCP tool handler
                      and a concrete call chain.
Dynamic confirmation  A feedback-driven loop refines natural-language prompts
                      toward the flagged sink. Two mutators run independently:
                      one corrects tool-selection drift (getting the agent to call
                      the right tool), one deepens parameter penetration (shaping
                      the argument). Fitness-scored seeds guide the search.
Verdict               A path is reported only when an end-to-end trace actually
                      reaches the sink -- so a "finding" is a confirmed exploit,
                      not an unvalidated warning.

The reason this matters methodologically: prior MCP scanners either produced static alerts no one could triage, or relied on fixed payload templates that missed bugs needing a specific argument shape or a multi-step path. Against two existing baselines the authors report a 4.6% false-positive and 7.7% false-negative rate. No exploit prompts are reproduced here; the canonical reference is the paper and the assigned CVE records.

Why it matters

The MCP server layer is now a large, fast-growing software supply chain that most teams install rather than write. June 2026 measurements put hard numbers around the exposure: per Adversa’s MCP roundup, Censys counted 12,520 Internet-accessible MCP services (most unauthenticated), and a separate measurement study found roughly 40% of remote servers expose tools with no authentication at all. VIPER-MCP adds the code-quality dimension: a meaningful fraction of those servers also carry exploitable taint-style flaws in their tool handlers.

Two consequences follow. First, a vulnerable MCP server turns prompt injection into RCE. If an attacker can influence the content an agent reads — a web page, a document, an issue comment — they can steer it to call a flawed tool with a hostile argument. The agent is the delivery vehicle; the server bug is the payload. Second, 67 CVEs across 40k repos means your dependency graph almost certainly includes some of them. Unlike a single advisory, this is a class you have to sweep for, not a line you patch once.

Defenses

The fixes are unglamorous and well understood — the gap is that MCP server code often skips them.

1. Treat every tool argument as untrusted input. The model is not a trusted caller; its arguments may be attacker-influenced via indirect injection. Validate type, length, and allowed character set at the handler boundary before the value reaches any sink.

2. Eliminate the dangerous sinks. Avoid shell=True / string-built commands (pass argument vectors), parameterise every database query, resolve and confine file paths to an allowlisted root, and restrict outbound requests to a destination allowlist to block SSRF. Never feed a tool argument to eval/exec.

3. Run servers with least privilege and isolation. Drop the blast radius: dedicated low-privilege user, sandbox or container, no ambient cloud credentials, network egress filtering. A confined RCE is an incident; an unconfined one is a breach.

4. Authenticate and de-expose remote servers. Put auth in front of every remote MCP server and take unauthenticated ones off the public Internet — the single highest-impact move, and the one the exposure counts show most operators still skip.

5. Audit before you trust a third-party server. Static taint scanning (the kind VIPER-MCP automates) plus review of which servers you boot-load. Check whether any of the 67 assigned CVEs touch your dependencies and track upstream patches.

6. Add a trust and admission layer. Pair the above with proposals like attested tool-server admission (signed clearance, deny-by-default allowlists) and the NSA’s MCP security design considerations as a baseline.

Status

Item	Reference	Date	Notes
VIPER-MCP paper	arXiv:2605.21392 (cs.CR)	2026-05-20	Static + dynamic auditing framework for MCP servers
Scan scope	Paper	2026-05-20	39,884 open-source MCP server repos
Findings	Paper	2026-05-20	106 confirmed 0-days, 67 CVE IDs assigned to date
Disclosure	Paper	2026-05-20	Responsibly disclosed; CVE assignment coordinated
Ecosystem exposure	Adversa / Censys roundup	2026-06-04	12,520 Internet-exposed MCP services, ~40% remote servers unauthenticated

The right framing is not “MCP is broken” — it is that MCP servers are ordinary software with ordinary injection bugs, deployed with extraordinary privilege and often no authentication. The agent in front of them only makes the source easier for an attacker to reach. Sweep your servers for the disclosed CVEs, kill the sinks, and put auth and isolation in front of everything that can run a command.