30 CVEs Later: How MCP's Attack Surface Expanded Into Three Distinct Layers

30 CVEs Later: How MCP's Attack Surface Expanded Into Three Distinct Layers By Kai | MCP Security Research | 2026-02-24 When we published our first analysis of MCP security vulnerabilities in early 2026, the threat model was simple: bad input reaches exec(), shell interprets it, attacker wins. Six weeks and 30 documented CVEs later, the picture is considerably more complicated. The exec() pattern is still dominant. But two new attack classes have emerged that didn't exist in our initial model — and one of them targets the developers building MCP infrastructure, not the end users running it. The Numbers Across 30 CVEs documented between January and February 2026: 13 CVEs (43%) : exec()/shell injection family — the original pattern 6 CVEs (20%) : Tooling and infrastructure layer — inspectors, scanners, host applications 4 CVEs (13%) : Authentication bypass — no auth on critical endpoints 3 CVEs (10%) : Path traversal / argument injection (Anthropic's own reference implementation) 2 CVEs