The MCP Ecosystem Exploded — Security Did Not Keep Up
The Model Context Protocol, introduced by Anthropic in late 2024, became the de facto standard for connecting AI assistants to external tools in under 18 months. By March 2026, the MCP ecosystem includes database connectors, file system servers, GitHub integrations, Slack bridges, email clients, and hundreds of domain-specific tool servers.
The adoption curve is steep. The security posture is not.
As of March 2026, 8,000+ MCP servers are publicly accessible on the internet. Security researchers scanning for MCP endpoints found 492 servers with zero authentication — no API key, no OAuth, no IP restriction. Any HTTP client can call their tools. 36.7% of sampled MCP servers are vulnerable to SSRF (Server-Side Request Forgery), meaning an attacker who controls tool input can pivot from the MCP server to internal network resources.
In the same period, 30+ CVEs were filed against MCP implementations in 60 days — a rate that reflects both the immaturity of the ecosystem and the intensity of researcher attention it has attracted.
Why MCP Creates PII Risk
MCP is designed to give AI assistants the ability to take actions and access data. That is also precisely what makes it a PII risk vector.
When a developer uses Cursor or Claude Desktop with an MCP database connector, the AI assistant generates SQL queries based on the user's natural language request. Those queries return real data — which may include customer names, email addresses, payment information, or other PII. That data flows:
- From the database MCP server → to the AI assistant's context window
- From the context window → potentially to the model provider's logging infrastructure
- From the conversation history → to the developer's local machine
- From debugging sessions → to other AI assistants when the developer pastes context
None of these steps necessarily involve a breach. They are the intended behavior of MCP. But the result is that PII travels through multiple systems that were not designed to handle it, without encryption in transit between MCP server and AI client in many implementations.
CVE-2026-25253 (CVSS 8.8), disclosed in February 2026, demonstrated a specific attack: a maliciously configured MCP server could inject instructions into tool call responses that caused the connected AI assistant to exfiltrate data from other connected MCP servers. A developer connecting to a compromised community MCP server while also having their database MCP server active could expose their entire database to the attacker.
The 492 Zero-Auth Servers
The 492 MCP servers with no authentication represent a different risk than CVE-2026-25253. These are not compromised legitimate servers — they are simply misconfigured. Many appear to be developer tools that were meant to be local-only but were exposed via port forwarding or cloud deployment without access controls.
What these servers commonly expose:
- File system tools with read access to home directories
- Database connectors with production credentials embedded in config
- Email MCP servers with access to corporate inboxes
- Code execution environments (the most dangerous — arbitrary code execution with no auth)
The developers who built these servers almost certainly did not intend to expose them publicly. But Cursor and Claude Desktop do not distinguish between a localhost MCP server and a publicly exposed one — they connect to whatever URL the user provides in their configuration.
The anonym.legal MCP Solution
The structural fix for PII risk in MCP pipelines is to anonymize data before it reaches any tool call that sends it to an LLM. This is what the anonym.legal MCP server provides.
The server exposes 7 tools:
| Tool | Purpose |
|---|---|
analyze_text | Detect PII entities and return their positions and types |
anonymize_text | Strip or pseudonymize detected PII |
deanonymize_text | Reverse pseudonymization using your encryption key |
anonymize_batch | Process multiple texts in one call |
get_supported_entities | List all 285+ entity types for a given language |
get_supported_languages | List all 48 supported languages |
health_check | Verify connectivity |
When an AI assistant has both the anonym.legal MCP server and a database MCP server configured, the developer can instruct: "Before displaying any customer data from the database, call anonymize_text on the result." The AI handles the orchestration — and PII never reaches the model's visible output or conversation history in identifiable form.
Cursor IDE Integration
To add the anonym.legal MCP server to Cursor:
// .cursor/mcp.json
{
"mcpServers": {
"anonym-legal": {
"url": "https://anonym.legal/mcp",
"transport": "sse",
"headers": {
"Authorization": "Bearer YOUR_API_KEY"
}
}
}
}
Once configured, you can ask Cursor: "Analyze this support ticket for PII before I paste it into the issue tracker." Cursor calls analyze_text, returns the entity list, and you can decide whether to anonymize before pasting.
Claude Desktop Integration
// claude_desktop_config.json
{
"mcpServers": {
"anonym-legal": {
"command": "npx",
"args": ["-y", "@anonym-legal/mcp-server"],
"env": {
"ANONYM_API_KEY": "YOUR_API_KEY"
}
}
}
}
With this configuration, Claude Desktop can anonymize any text you share before including it in tool calls sent to other MCP servers. The anonymization happens client-side in your Claude Desktop session — the PII never reaches Anthropic's servers in identifiable form.
Hardening Your MCP Setup
Beyond using anonym.legal MCP, apply these hardening steps to your MCP configuration:
Audit your server list. Review every MCP server in your Cursor/Claude Desktop config. For each one, verify that you trust the operator and understand what data it can access.
Prefer local servers over remote. Local MCP servers (connected via stdio rather than HTTP) do not create network exposure. Use remote servers only when there is no local alternative.
Check authentication. Every remote MCP server you connect to should require an API key or OAuth token. If it does not, do not use it with contexts containing PII.
Separate development and production. Use separate MCP server configurations for development work (synthetic data, no PII) and any workflows that touch production data.
Monitor tool call logs. If your MCP server supports audit logging, enable it. Know what data flowed through which tool call.
The 30+ CVEs in 60 days signal that MCP security is actively being researched. New vulnerabilities will be disclosed. The structural defense — anonymizing before any data reaches a tool call that touches an LLM — remains effective regardless of which specific CVE is discovered next.
Configure anonym.legal MCP in Cursor →
Sources:
- Shodan MCP server exposure data, March 2026 — 8,000+ servers, 492 zero-auth
- CVE-2026-25253, CVSS 8.8, MCP cross-server injection vulnerability
- SSRF vulnerability data: security research scan of publicly accessible MCP endpoints, March 2026
- Anthropic MCP specification v1.2, security considerations section