Skip to main content

Your MCP server has 40+ CVEs to learn from.

Between January and April 2026, security researchers disclosed over 40 CVEs against Model Context Protocol implementations across Python, TypeScript, Java, and Rust SDKs. The affected servers include Anthropic's reference implementations, third-party tools with 150 million combined downloads, and 9 of 11 MCP marketplaces. The published failure modes cluster into eight recurring shapes:

  1. Tool description injection (untrusted input interpolated into tool descriptions or schemas that the LLM reads as instructions).
  2. Tool poisoning (caller-controlled paths to file systems, URLs, or environment variables without an allowlist).
  3. Rug pull risk (tool descriptions that change per request based on mutable state).
  4. Sensitive sinks inside tool handler bodies (subprocess, eval, raw SQL, network calls).
  5. Manifest vs handler mismatch (tools/list advertises a tool whose handler signature does not match the schema).
  6. Unbounded resource access (overbroad filesystem root, unrestricted URL fetch).
  7. Prompt data leakage (text returned to the LLM contains secrets, PII, or environment values).
  8. Auth bypass on sensitive tools (sensitive tool definition has no auth check at handler entry).

vulkro scan-mcp-server catches all eight, offline, before you publish.

What the subcommand does

vulkro scan-mcp-server path/to/your/mcp-server

It walks the source tree, identifies Python (mcp.server / FastMCP) and TypeScript (@modelcontextprotocol/sdk) MCP server shapes, and runs eight detectors against each tool handler. Output is the standard Vulkro table / JSON / SARIF / NDJSON shapes so it slots into the same CI pipeline as everything else you scan. Exit codes follow the standard contract: 0 if clean, 1 if findings, 2 if error.

The detector pack is shipped at stable rule IDs MCP-SERVER-001 through MCP-SERVER-008 so you can suppress or tune them in .vulkroignore the same way you would any other Vulkro rule. The full rule documentation covers trigger conditions, evidence requirements, and the positive + negative fixture corpus that drives the regression tests.

Three things Vulkro is not

To make the scope clear:

  1. vulkro mcp-audit scans MCP host configurations (Claude Desktop, Cursor, Windsurf, VS Code, Cline, Continue, Gemini). It checks unpinned npx/uvx, mutable git refs, overbroad fs roots, env-var secrets, cleartext endpoints, and the compromised-release catalog. Different surface entirely.
  2. vulkro mcp serve makes Vulkro itself behave as an MCP server. Claude Code, Cursor, Windsurf, and any other MCP client can call Vulkro to scan files and projects directly from the editor.
  3. vulkro scan-mcp-server is the new piece: it scans MCP server source code (the code you are writing). This page is about that.

The three surfaces compose: Claude Code can call Vulkro via MCP to scan the MCP server source you are building, before you publish it to a marketplace.

The architectural distinction

Every other MCP security scanner in the market (mcpscan.ai, McpSafetyScanner, Enkrypt AI's MCP Scan) is either a hosted SaaS or relies on cloud LLM evaluation. Vulkro is the only one that runs entirely on your laptop with no model call. The detector implementation is closed-source so its rule signatures cannot be trivially reverse-engineered by an attacker writing a deliberately detector-evading MCP server; the benchmark harness is public so a buyer can audit the claim that the detection works.

If your MCP server holds proprietary tool implementations, credentials, or customer data shapes, you almost certainly do not want to upload it to a SaaS analyzer or send it through a cloud model. Vulkro is the option that does neither.

Get started

The scanner is in the free tier. No license required, no account, nothing to sign up for.

# macOS / Linux
curl -fsSL https://install.vulkro.com | sh

# Then, on your MCP server source tree
vulkro scan-mcp-server .

The first scan against a fresh repo typically completes in under one second per 1,000 LoC. The default --fail-on critical,high gate is right for CI; bump to --fail-on critical,high,medium when you want the lower-severity advisories surfaced (the defaults are tuned for low FP at Medium+ so this is usually sensible).

Use Vulkro as an MCP tool inside Claude Code or Cursor

Vulkro can also run as an MCP server itself, so Claude Code or Cursor can call it on every diff:

{
  "mcpServers": {
    "vulkro": {
      "command": "vulkro",
      "args": ["mcp", "serve"]
    }
  }
}

That gives your AI coding assistant the scan_project, scan_file, explain, list_rules, and get_findings tools. When you are writing an MCP server, the same Claude Code session can scan the file it just generated for the same eight detector classes before you commit. See the mcp serve docs for the full setup.

The market is moving fast

The MCP ecosystem is at the same stage npm was around 2018: the spec is established, the marketplaces are growing, and the adversaries are catching up faster than the tooling. Catching your MCP server's tool description injection or manifest drift before you publish it is the cheap version of fixing it; finding out from a CVE filing is the expensive version.

Read the scan-mcp-server docs for the full rule reference and the fixture corpus, or just run it now:

vulkro scan-mcp-server .