# MCPBlog.dev

> The MCP Ecosystem Blog — Security research, tool discovery patterns, and infrastructure insights for developers building with the Model Context Protocol.

## About

MCPBlog.dev covers the Model Context Protocol (MCP) ecosystem with a focus on security, tool discovery, infrastructure patterns, and governance. Written by Algis Dumbris.

## Topics

- Security: Tool poisoning, supply chain attacks, schema drift, credential harvesting
- Discovery: BM25 search, semantic routing, context management, tool filtering
- Infrastructure: Proxies, gateways, sandboxing, OAuth 2.1, Docker isolation
- Ecosystem: Standards (NIST), conferences, community trends, registry governance

## Posts

- [The EU AI Act Article 12 Deadline Just Moved. Here Is What Still Has a 2026 Deadline.](https://mcpblog.dev/blog/2026-05-12-eu-ai-act-article-12-delay-what-still-has-a-2026-deadline): The EU Council and Parliament agreed on May 7 to push the high-risk AI compliance deadline from August 2026 to December 2027. Multiple parallel mandates — DORA, NIS2, GPAI obligations, transparency rules — did not move. Here is what the Omnibus VII delay actually changes for organizations deploying AI agents.
- [The Official MCP 2026 Roadmap Names the Enterprise Gaps. The Spec Team Is Routing Them Through Extensions.](https://mcpblog.dev/blog/2026-05-12-mcp-2026-roadmap-anthropic-names-enterprise-gaps): Anthropic published the official 2026 MCP roadmap. Four enterprise gaps are named directly — audit trails, SSO-integrated auth, gateway behavior, configuration portability — and the spec team is explicitly routing them through extensions and a new Enterprise Working Group rather than into the core protocol.
- [The State of MCP Security 2026: What 24,008 Exposed Secrets and Eight Public Incidents Tell Us About a Maturing Threat Surface](https://mcpblog.dev/blog/2026-05-10-state-of-mcp-security-2026-pipelab-numbers): PipeLab's State of MCP Security 2026 is the first comprehensive defense-coverage grading for the MCP ecosystem. 24,008 exposed secrets. 82% path-traversal vulnerability rate. Eight named in-the-wild incidents. The numbers describe a category that has outgrown its own tooling.
- [341 Malicious Skills, Zero Registry Checks: What OpenClaw's ClawHavoc Means for MCP](https://mcpblog.dev/blog/2026-04-20-341-malicious-skills-zero-registry-checks): In January 2026, 341 malicious skills infiltrated OpenClaw's official registry. The MCP ecosystem faces the same structural vulnerability — and scanning alone won't fix it.
- [The Attack That Gets Better as Your AI Gets Smarter](https://mcpblog.dev/blog/2026-04-20-attack-gets-better-ai-gets-smarter): Unit 42's MCPTox benchmark found 72.8% attack success on o1-mini. More capable models are more vulnerable to MCP sampling injection because the attack exploits instruction-following. You cannot model-upgrade your way out of this.
- [Nobody Is Checking: What Three Independent Scans of 14,000+ MCP Servers Reveal](https://mcpblog.dev/blog/2026-04-19-14k-servers-scanned-admission-gap): Three independent teams scanned 14,000+ MCP servers in 30 days. All found the same vulnerabilities. All ended with the same recommendation. None of them could enforce it.
- [MCP Is Deprecating Sampling, Roots, and Logging: What It Means for the Ecosystem](https://mcpblog.dev/blog/2026-04-17-mcp-deprecating-sampling-roots-logging): SEP-2577 proposes removing three core MCP features simultaneously. The protocol is scope-reducing to become a lean stateless tool-calling layer. Here is what builders need to know.
- [A Malicious MCP Server Can Inflate Your API Bill 658x — And Standard Defenses Miss It 97% of the Time](https://mcpblog.dev/blog/2026-04-10-658x-amplification-attack): A new class of MCP attack turns tool responses into a billing amplifier. A session that should cost $0.10 costs $65.80. The schema is clean, the task completes, and 97% of standard defenses never notice.
- [Three Governance Gaps Nobody Instruments in Multi-Agent Systems](https://mcpblog.dev/blog/2026-04-08-three-governance-gaps-multi-agent-systems): Three independent teams arrived at the same conclusion this week: multi-agent systems fail silently because nobody instruments delegation, escalation, or reputation. Here are the practical instrumentation points.
- [MCP Server-Initiated Sampling: The Spec Feature That Becomes an Attack Vector](https://mcpblog.dev/blog/2026-04-07-mcp-sampling-attack-vector): MCP sampling lets servers request LLM completions through the client. Unit42 research shows how this legitimate spec feature enables prompt injection, cross-server poisoning, privilege escalation, and data exfiltration.
- [Q1 2026 MCP CVE Roundup: 9 Vulnerabilities, 3 Patterns, 1 Lesson](https://mcpblog.dev/blog/2026-04-07-q1-2026-mcp-cve-roundup): MCP went from zero CVEs to nine in a single quarter. A data-driven breakdown of every vulnerability, the three recurring patterns behind them, and what the ecosystem should do next.
- [Only 8.5% of MCP Servers Use OAuth](https://mcpblog.dev/blog/2026-03-31-mcp-oauth-gap-gateway-architecture): A study of 5,200+ MCP servers found 88% require credentials, 53% use static API keys, and only 8.5% use OAuth. Six RSAC vendors announced MCP governance — none fix these numbers. The gateway layer does.
- [The Approved Server Problem: How a Legitimate MCP Server Can Still Exfiltrate Everything](https://mcpblog.dev/blog/2026-03-25-approved-server-exfiltration-problem): Quarantine catches obvious malware. Docker contains filesystem access. But an approved, isolated MCP server with outbound network access can silently POST every tool call payload to an attacker. Here is what to do about it.
- [The LiteLLM Supply Chain Attack Is the Best Argument for Docker-Isolated MCP Servers](https://mcpblog.dev/blog/2026-03-25-litellm-supply-chain-docker-isolation): LiteLLM v1.82.7 was compromised via a poisoned GitHub Action. The .pth malware fires on every Python startup, stealing SSH keys, cloud creds, and API keys. Many MCP servers pull LiteLLM as a transitive dependency.
- [The Single-Agent Era Is Over](https://mcpblog.dev/blog/2026-03-23-single-agent-era-over): In 72 hours: Microsoft AutoGen retired, GitHub launched Squad, Block's Goose pivoted to multi-agent. Three independent signals, same conclusion: the single-agent architecture is done.
- [Identity Secures the Agent, But Who Secures the Tool Call?](https://mcpblog.dev/blog/2026-03-22-identity-vs-tool-call-security): Microsoft, CyberArk, and Okta frame AI agent security through identity. But identity alone does not prevent tool poisoning or parameter manipulation. The MCP gateway layer is the missing half.
- [$430M in One Month: Why AI Agent Security Is 2026's Hottest VC Category](https://mcpblog.dev/blog/2026-03-21-430m-ai-agent-security-vc): March 2026 saw $430M+ invested in AI agent security across 5 major rounds. Combined with 30 CVEs, 9 documented MCP breaches, and 1,184 malicious skills, the market signal is unmistakable.
- [chmod for AI Agents: How the MCP Permission Model War Will Shape Agent Security](https://mcpblog.dev/blog/2026-03-21-chmod-ai-agents-mcp-permissions): Three radically different permission models for MCP emerged this month: Unix-style rwxd, DIFC labels, and scope-per-service. The winner will define how enterprises govern AI agent tool access.
- [From Azure SSRF to RSAC Stage: What CVE-2026-26118 Teaches Us About MCP Gateway Security](https://mcpblog.dev/blog/2026-03-20-azure-ssrf-mcp-gateway-security): The first high-profile MCP CVE (CVSS 8.8) in Azure's MCP Server plus Token Security's MCPwned RSAC presentation show why every MCP deployment needs a gateway layer that inspects tool calls before they reach upstream servers.
- [Why MCP Gateways and Runtime Hooks Are Complementary, Not Competing](https://mcpblog.dev/blog/2026-03-20-gateways-vs-hooks-complementary): Security Boulevard argues gateways are a bad idea for MCP. They are half right. The best architecture uses both gateways for perimeter defense and hooks for runtime context. Here is how they fit together.
- [MCP Security Just Became an Enterprise Product Category](https://mcpblog.dev/blog/2026-03-19-mcp-security-enterprise-category): In five days, three companies launched dedicated MCP security products. Combined with OWASP MCP Top 10 and CoSAI's threat taxonomy, MCP security has transitioned from research concern to funded enterprise market.
- [From Theory to Exploit: Real MCP Attacks and How Gateways Stop Them](https://mcpblog.dev/blog/2026-03-18-real-mcp-attacks-gateway-defenses): MCP security has moved from theoretical risks to documented exploits. ContextCrush, Unit42 sampling attacks, and cross-agent escalation prove the attack surface is real. Here is how gateway-level interception stops them.
- [The MCP Registry Landscape: Why It Matters and How to Auto-Publish Your Server](https://mcpblog.dev/blog/2026-03-17-mcp-registry-guide): MCP servers are scattered across GitHub repos, awesome-lists, and third-party directories. The Official MCP Registry changes that. Here's why registries matter, how the ecosystem fits together, and how to set up automatic publishing from your CI pipeline.
- [Deploy Your Own Agent Messaging Hub in 15 Minutes -- For Free](https://mcpblog.dev/blog/2026-03-16-deploy-agent-messaging-hub): SynapBus is a single Go binary that gives your AI agent swarm Slack-like messaging, semantic search, and MCP connectivity. Deploy it with Docker or Kubernetes, expose it via Cloudflare Tunnel, and connect your first agents -- total cost: $0.
- [A2A v1.0 Is Here: How Google's Agent Protocol Complements MCP](https://mcpblog.dev/blog/2026-03-15-a2a-v1-mcp): Google's Agent-to-Agent protocol just hit v1.0 under the Linux Foundation. Here is how A2A and MCP work together to enable the next generation of AI agent architectures.
- [The OWASP MCP Top 10: A Security Framework for the AI Agent Era](https://mcpblog.dev/blog/2026-03-15-owasp-mcp-top-10): The OWASP MCP Top 10 maps the most critical security risks in AI agent tool integration — from tool poisoning to context poisoning. Here is what practitioners need to know.
- [Securing MCP Servers: From Tool Poisoning to Filesystem Sandboxing](https://mcpblog.dev/blog/2026-03-13-mcp-filesystem-sandboxing): The MCP security landscape has evolved through three waves: protocol scanning, traffic proxying, and OS-level sandboxing. Here's the full map of projects and where the frontier is heading.
- [MCP Tool Annotations: What They Are, Why They Matter, and What's Coming Next](https://mcpblog.dev/blog/2026-03-13-mcp-tool-annotations): The MCP spec includes five tool annotation fields that tell agents whether tools are read-only, destructive, or open-world. Most servers don't use them. Here's why that needs to change.
- [NIST Evaluates MCP for AI Agent Identity Governance](https://mcpblog.dev/blog/2026-03-08-nist-mcp-agent-identity): NIST's draft concept paper lists MCP as one of five standards under evaluation for agentic AI authentication. What this means for MCP's legitimacy and enterprise adoption.
- [Why Google Dropped MCP: Context Explosion and the Tool Discovery Problem](https://mcpblog.dev/blog/2026-03-09-context-explosion-tool-discovery): Google quietly removed MCP from its Workspace CLI after tool definitions ballooned context windows to 100K tokens. The tool discovery problem is MCP's biggest scaling barrier.
- [The Confused Deputy Problem in MCP Authentication](https://mcpblog.dev/blog/2026-03-10-confused-deputy-mcp-auth): MCP's authentication model has a fundamental gap: servers cannot verify whether an agent was authorized to use the credentials it presents. Here's why this matters and what's being done about it.
- [Anatomy of the Clinejection Attack: When AI Agents Become Supply Chain Vectors](https://mcpblog.dev/blog/2026-03-11-clinejection-anatomy): A detailed breakdown of the Clinejection attack chain that compromised the Cline VS Code extension in January 2026, and what it reveals about trust boundary gaps in MCP composition.
- [The State of MCP Security in 2026: What You Need to Know](https://mcpblog.dev/blog/2026-03-12-state-of-mcp-security): A comprehensive look at the security landscape of the Model Context Protocol ecosystem - from tool poisoning attacks to emerging defenses.

## Links

- Blog: https://mcpblog.dev/blog
- RSS: https://mcpblog.dev/rss.xml
- Full content for LLMs: https://mcpblog.dev/llms-full.txt
- About: https://mcpblog.dev/about