Microsoft said my Azure MCP report was 'by design.' They're right — and that's the problem.

A tool that sends email was annotated read-only. That annotation decides whether your MCP client asks for confirmation. It's an advisory hint, not a security boundary — and the gap between those two facts is exploitable.

We scanned 763 MCP servers. Here's what we found.

Most MCP servers ship with no input validation. A few have exploitable vulnerabilities. The real risk is in how tools combine.

Safety Control Tampering: A New Class of Attack on AI Agents

CVE-2026-25253 revealed a 1-click RCE in OpenClaw. We analyzed the attack chain and found a pattern that goes beyond this single vulnerability — attackers disabling safety controls before exploitation.