MCP Observatory
security

Security

Every MCP risk signal in one place — CVEs, tool safety, drift, naming, licenses. Heuristic: review signals, not verdicts.

Known CVE vulnerabilities mapped to tracked servers via OSV.dev, newest disclosures first; switch to the severity worklist to triage by impact — a review signal, not a verdict. CVE feed as of 2h ago · next check in 1h.

most-affected30d · 41 new
inherited CVEsvia tracked dependencies

Scope: only dependencies that are themselves tracked MCP servers. A CVE in an untracked package (a general npm/PyPI library) does not flow here — this is partial supply-chain visibility, not a full transitive audit.

sort recent severity
  1. NONE local-mcp MAL-2026-4601
    MAL-2026-4601
  2. NONE @scp3500/openvl MAL-2026-4431
    MAL-2026-4431
  3. HIGH mcp-server-kubernetes MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement EPSS 0%
    CVE-2026-46519
  4. CRITICAL openyak/openyak OpenYak local API: unauthenticated CSRF chain leads to Remote Code Execution
    CVE-2026-46409
  5. HIGH Q00/ouroboros Remote Code Execution via Untrusted Project-Directory .env EPSS 1%
    CVE-2026-47211
  6. NONE prjct-cli Malicious code in prjct-cli (npm)
    MAL-2026-4647
  7. NONE claude-all-config Malicious code in claude-all-config (npm)
    MAL-2026-4522
  8. MEDIUM @apify/actors-mcp-server Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching EPSS 0%
    CVE-2026-46341
  9. HIGH langgenius/dify Unauthenticated Server-Side Request Forgery in /console/api/remote-files/upload endpoint
    GHSA-8235-vv5j-mmvg
  10. LOW langgenius/dify Dify API Extension has SSRF Vulnerability
    GHSA-cg9f-q34p-p9h3
  11. NONE mcp-mermaid Malicious code in mcp-mermaid (npm)
    MAL-2026-4147
  12. NONE @antv/mcp-server-chart Malicious code in @antv/mcp-server-chart (npm)
    MAL-2026-4069
  13. HIGH n8n-mcp n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete EPSS 0%
    CVE-2026-45707
  14. MEDIUM n8n-mcp n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters EPSS 0%
    CVE-2026-45582
  15. MEDIUM always-further/nono nono: Sandbox escape on Linux via D-Bus: `systemd-run --user` EPSS 0%
    CVE-2026-47128
  16. HIGH verygoodplugins/whatsapp-mcp Unauthenticated bridge API allows message sending and arbitrary file exfiltration
    CVE-2026-46555
  17. HIGH open-metadata/OpenMetadata [OpenMetadata 1.12.1] TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regular user EPSS 0%
    CVE-2026-46481
  18. LOW dbt-labs/dbt-mcp All MCP Tool Arguments Including Raw SQL and --vars Credentials Transmitted to dbt Labs Telemetry by Default Without Redaction EPSS 0%
    CVE-2026-44970
  19. LOW dbt-labs/dbt-mcp Tool Arguments Including SQL Queries and Credentials Logged in Plaintext Without Redaction When File Logging Is Enabled EPSS 0%
    CVE-2026-44969
  20. MEDIUM dbt-labs/dbt-mcp Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters EPSS 0%
    CVE-2026-44968
  21. MEDIUM n8n-io/n8n Credential exfiltration via Allowed HTTP Request Domains Bypass
    GHSA-3875-8gcx-7v46
  22. CRITICAL n8n-io/n8n Arbitrary File Read via Git Node EPSS 0%
    CVE-2026-44790
  23. CRITICAL n8n-io/n8n HTTP Request Node Pagination Prototype Pollution to RCE EPSS 0%
    CVE-2026-44789
  24. HIGH n8n-io/n8n Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints EPSS 0%
    CVE-2026-45732
  25. MEDIUM n8n-io/n8n Legacy ExecuteWorkflow Node Bypassed File Path Restrictions
    GHSA-2vx9-7wpg-88jq