The Dangers of Shipping without Authentication: Clawdbot’s Warning

Addressing the Ongoing Security Issues of Model Context Protocol

Model Context Protocol (MCP) continues to face persistent security challenges that are proving to be a significant concern for developers and organizations alike.

Back in October, VentureBeat highlighted MCP’s vulnerabilities, shedding light on the alarming data. Research conducted by Pynt revealed that the deployment of as few as 10 MCP plug-ins could result in a staggering 92% likelihood of exploitation, emphasizing the substantial risk associated with even a single plug-in.

The fundamental issue remains unchanged: MCP was initially released without mandatory authentication, with authorization frameworks only being introduced six months after widespread deployment. Merritt Baer, the Chief Security Officer at Enkrypt AI, had forewarned about this flaw, stating that MCP’s insecure defaults could lead to a decade of breach cleanups if authentication and least privilege were not integrated from the outset.

Fast forward three months, and the anticipated cleanup process has commenced, revealing even more severe consequences than anticipated.

The introduction of Clawdbot significantly altered the threat landscape. This viral personal AI assistant, capable of managing inboxes and coding tasks overnight, operates exclusively on MCP. Unfortunately, many developers who hastily spun up Clawdbot instances on Virtual Private Servers (VPS) without reviewing the security guidelines inadvertently exposed their organizations to the full spectrum of the protocol’s vulnerabilities.

Itamar Golan, who successfully sold Prompt Security to SentinelOne for an estimated $250 million, reiterated the looming disaster. In a recent post, he cautioned about the imminent threat posed by the thousands of live Clawdbots operating on VPSs with open internet ports and zero authentication, predicting a grim outcome.

Subsequent scans by Knostic revealed a startling discovery – 1,862 exposed MCP servers lacked authentication, with each server responsive without necessitating credentials. This vulnerability essentially means that anything Clawdbot can automate, malicious actors can exploit.

The Rise of Three Critical CVEs Exposing MCP’s Architectural Flaws

The vulnerabilities plaguing MCP are not isolated incidents but rather direct outcomes of the protocol’s design choices. Here is a brief overview of the three critical CVEs and the associated risks:

• CVE-2025-49596 (CVSS 9.4): Anthropic’s MCP Inspector exposed unauthenticated access between its web UI and proxy server, facilitating complete system compromise via a malicious webpage.

• CVE-2025-6514 (CVSS 9.6): Command injection in mcp-remote, an OAuth proxy with 437,000 downloads, enabled attackers to take over systems by connecting to a malicious MCP server.

• CVE-2025-52882 (CVSS 8.8): Popular Claude Code extensions exposed unauthenticated WebSocket servers, allowing for arbitrary file access and code execution.

These three critical vulnerabilities, emerging within a span of six months, operate through distinct attack vectors but share a common root cause – MCP’s optional authentication feature, which developers often overlooked assuming it was unnecessary.

Expanding Attack Surfaces and Unveiling Additional Vulnerabilities

A recent analysis by Equixly scrutinized prevalent MCP implementations, uncovering various vulnerabilities. Their findings indicated that 43% of implementations harbored command injection flaws, 30% allowed unrestricted URL fetching, and 22% leaked files beyond designated directories.

Forrester analyst Jeff Pollard elaborated on the risks in a blog post, emphasizing the potential for a malicious actor to infiltrate environments seamlessly, dubbing it an effective yet perilous method of introducing a potent threat actor into an organization’s ecosystem without any safeguards.

The implications are clear – an MCP server with shell access could be exploited for lateral movement, credential theft, and ransomware deployment triggered by prompt injections subtly embedded within documents processed by AI agents.

Unveiling Known Vulnerabilities and Delayed Remediation Efforts

Security researcher Johann Rehberger disclosed a file exfiltration vulnerability last year, highlighting the potential risks associated with prompt injections that could coerce AI agents into transmitting sensitive data to malicious entities.

Anthropic recently introduced Cowork, expanding the reach of MCP-based agents to a broader, less security-conscious audience. This move rekindled concerns about the same vulnerability, now more exploitable than ever. PromptArmor’s demonstration showcased how a malevolent document could manipulate the agent into uploading critical financial data.

Anthropic’s recommended mitigation strategy involves vigilant monitoring for suspicious activities hinting at prompt injections, underscoring the necessity for heightened awareness and proactive measures.

a16z partner Olivia Moore shared her insights after experimenting with Clawdbot, emphasizing the imperative for users to comprehend the extent of authorization granted to AI agents. She stressed the importance of understanding and authorizing access appropriately, a responsibility often overlooked by both users and developers due to the inherent design of MCP.

Guidelines for Security Leaders: Mitigating MCP Vulnerabilities

• Conduct a comprehensive inventory of MCP exposure: Implement specialized tooling to identify MCP servers distinctly, as traditional endpoint detection mechanisms may overlook these potential threats.

• Mandate authentication protocols: Ensure that every MCP server interacting with production systems enforces authentication, preferably OAuth 2.1, to prevent unauthorized access.

• Limit network exposure: Secure MCP servers by binding them to localhost unless explicit remote access is necessitated and duly authenticated to avoid inadvertent exposures as observed previously.

• Prepare for prompt injection attacks: Acknowledge the susceptibility of MCP servers to such attacks and design access controls assuming the worst-case scenario to preemptively mitigate risks.

• Implement human approval for high-risk actions: Enforce explicit confirmation procedures before AI agents undertake critical operations like sending emails, data deletion, or accessing sensitive information, treating the agent as a potentially vulnerable but potent asset.

The Governance Void: Bridging the Gap Between Enthusiasm and Security

While security vendors swiftly capitalized on the risks associated with MCP, many enterprises lagged in implementing robust security measures.

The surge in Clawdbot adoption during Q4 of 2025 starkly contrasts with the absence of AI agent controls on most 2026 security roadmaps. This significant lag between developer enthusiasm and effective security governance highlights a glaring vulnerability that opportunistic threat actors may exploit.

Golan’s ominous prediction resonates – the impending chaos is inevitable. The critical question remains: Will organizations fortify their MCP defenses before malevolent entities exploit these vulnerabilities to their advantage?