30 CVEs in 60 Days: MCP's Security Reckoning Is Here

30 CVEs in 60 Days: MCP's Security Reckoning Is Here The protocol that promised to standardize AI agent tooling just became the ecosystem's fastest-growing attack surface. 38% of servers have no authentication. Here's what you need to know — and fix. Two days ago, we wrote about MCP crossing 97 million monthly downloads and called it "infrastructure." Chrome ships native support. Google Cloud built gRPC transport for it. The protocol won. What we didn't write about — what almost nobody was writing about — is that MCP's rapid adoption has outpaced its security posture by a dangerous margin. And the numbers are now impossible to ignore. 30 CVEs filed in 60 days. A scan of 560 MCP servers found 38% with zero authentication. The official TypeScript SDK itself has published vulnerabilities. The protocol that connects your AI agents to every tool, database, and API in your stack is riddled with holes. MCP won the adoption war. Now it has to survive the security reckoning. The Attack Surface