TL;DR: Wallarm’s Q3 2025 API ThreatStats report, expanded with new analysis this spring, finally puts hard numbers on something security teams have been muttering about for months. The Model Context Protocol is becoming the soft underbelly of enterprise AI. The firm logged 315 MCP-related vulnerabilities, a 270% quarter-over-quarter jump, and tied at least one Top 10 API breach to thousands of exposed MCP servers. CEO Ivan Novikov calls it a “flashing red light.” The uncomfortable part is the cause: Broken auth and missing runtime checks, the same mistakes that have plagued APIs for a decade, sitting now on the control plane for autonomous agents.

Wallarm: MCP Security Risks Jump 270% as AI Agents Multiply

There’s a pattern in cybersecurity that repeats every few years. A new layer of infrastructure gets bolted onto enterprise stacks (cloud, containers, microservices, serverless) and it ships before anyone agrees on what “secure by default” looks like for it. Adoption races ahead of guardrails. Then the breach reports start landing.

The Model Context Protocol is mid-pattern right now, and Wallarm has the receipts. The API security vendor’s latest ThreatStats analysis, picked up this month by TipRanks and a string of industry outlets, pegs MCP-related vulnerabilities at a 270% quarter-over-quarter increase, with 315 distinct flaws catalogued and one Top 10 breach already on the board. Inside that headline number is a more uncomfortable story. Most of the MCP attacks landing on the report are old friends in new packaging. Broken authentication above all else, with unsafe API consumption a few rungs behind.

For anyone shipping agentic AI into production this year, that’s the warning shot.

What Wallarm actually found

Strip away the press release voice and the Q3 2025 ThreatStats report (which Wallarm has continued to build on through Q1 2026) comes down to four data points.

Start with raw growth. Wallarm tracked 1,602 API vulnerabilities disclosed in Q3 2025 alone, a 20% bump quarter over quarter. Inside that pile, MCP vulnerabilities jumped 270%, AI-API vulnerabilities rose 57%, and agentic AI flaws climbed 67%. Three categories that didn’t really exist as named telemetry buckets two years ago are now outpacing everything else the firm tracks.

The share of the AI risk pie is the next gut punch. MCP issues alone account for 14% of all AI-related vulnerabilities Wallarm logs. That’s a single protocol, one most enterprise security teams hadn’t heard of eighteen months ago, eating a meaningful slice of an entire risk category.

Then there’s the cause analysis, which is where things get uncomfortable. Broken authentication was the culprit in 52% of incidents. Unsafe consumption of APIs accounted for 27%. Security misconfiguration (OWASP API8) explained 38% of all API flaws across the dataset, and authorization gaps (API1 plus API5) added another 28%. None of this is exotic. None of it requires an adversarial machine learning paper to understand. It’s the same OWASP API Top 10 we’ve been arguing about since 2019.

Finally, the real-world hit. One of the Top 10 incidents in the period involved thousands of MCP servers compromised through a path-traversal vulnerability. The attackers walked in through weak auth and insecure backend interactions and ended up with access to live production AI workflows. No model weights manipulated, no clever prompt injection chain involved. As Channel Insider summarized it, “good old API vulnerabilities” did the work.

Ivan Novikov, Wallarm’s CEO, puts it bluntly in the company’s release: “The 270% rise in MCP-related vulnerabilities is a flashing red light. AI is deeply intertwined with APIs, and organizations aren’t yet prepared for how these AI interfaces expand the attack surface.”

The phrase “risk multiplier” comes up a lot in Wallarm’s own commentary, and it’s the right framing. AI didn’t invent new classes of bugs. It accelerated the exploitation of the ones we already had.

A quick refresher on what MCP is and why it sits where it does

If you’ve been heads-down shipping for the last year, the speed of MCP adoption is difficult to overstate.

Anthropic introduced the Model Context Protocol in November 2024 as an open standard for connecting AI models to external tools, data sources, and systems. The idea was simple and overdue. Instead of every team writing bespoke integrations between every LLM and every backend, you’d have a single protocol, a “USB for AI agents” as the early pitch went, that let any compliant model talk to any compliant tool.

By March 2026, Anthropic was reporting over 10,000 active public MCP servers and roughly 97 million monthly SDK downloads across the Python and TypeScript implementations. OpenAI, Google DeepMind, Microsoft, AWS, and Cloudflare have all signed on. Anthropic donated the protocol to the Linux Foundation’s new Agentic AI Foundation earlier this year, and Forrester is forecasting that 30% of enterprise app vendors will ship their own MCP servers in 2026.

What matters for the security conversation is what MCP actually does in an architecture diagram. MCP sits at the control plane for agents. It’s the layer that decides which tools an autonomous workflow can call and on whose behalf. When that layer gets compromised, the attacker takes partial control of whatever process the agent was orchestrating, not just the data behind one endpoint.

That’s why Wallarm’s findings should land harder than another routine API vuln report. The blast radius is qualitatively different.

The OWASP Top 10, wearing a new hat

What’s interesting about Wallarm’s data is what isn’t in it. No novel “MCP-specific” exploit class is doing the bulk of the damage. The vulnerabilities are recognizably the same ones API security teams have been chasing for years, just with the agent layer as the new attack surface.

Reading across Wallarm’s own MCP security checklist, which maps to OWASP’s Multi-Agentic System Threat Modeling Guide v1.0, the recurring offenders are familiar:

• Broken authentication. MCP servers exposed without identity verification, or accepting long-lived credentials that should have been rotated. The OWASP threat ID here is T40, MCP client impersonation, and it shows up in incident after incident.
• Over-permissioned tools. Tools registered with privilege scopes wider than the workflow needs, so a single prompt injection can pivot from “summarize this PDF” to “exfiltrate the whole Drive.”
• Insufficient MCP server isolation (T45). Servers with enough host permission to lateral-move once compromised.
• Insecure communication (T30). Plaintext transport, missing mTLS, certs that nobody validates.
• Resource overload (T4) and model instability (T26). Misuse vectors that produce denial of service when a misbehaving or adversarial agent retries indefinitely.
• Service account exposure (T21). Credentials leaking into tool descriptions, logs, or output streams.
• Rogue MCP servers in the ecosystem (T47). Look-alike or fully malicious servers in registries that get picked up by trusting clients.

What these have in common is mundane: Recognizable API security failure and identity hygiene failure, applied to a new surface that happens to be reachable by autonomous agents. That’s exactly Novikov’s “risk multiplier” point. The reason a 270% jump feels so vertiginous is that the existing bug classes now sit one prompt away from a system that will actively try to call them.

The 2025-2026 breach timeline tells the same story

Wallarm’s numbers fit neatly inside a broader breach record that’s been accumulating across the security press. The Authzed timeline of MCP breaches, which has become a de facto reference, reads like a greatest-hits list of unsafe defaults.

The WhatsApp MCP exfiltration in April 2025 used a “random fact of the day” tool as cover to dump entire chat histories to attacker numbers. The GitHub MCP prompt-injection chain in May 2025 turned malicious issue descriptions into vehicles for reading private repos. June 2025 brought an Asana cross-tenant data leak and CVE-2025-6514, a command injection in the mcp-remote OAuth proxy package that JFrog disclosed. That one alone affected 437,000+ downloads and pulled in integrations published by Cloudflare, Hugging Face, and Auth0.

July through September 2025 added more. Sandbox escapes in the Filesystem MCP server. A malicious Postmark MCP that quietly BCC’d customer email to an attacker. A remote code execution vector in Flowise. The Smithery MCP hosting breach that leaked builder credentials and Fly.io tokens covering 3,000+ hosted servers.

The opening months of 2026 were no quieter. The Hacker News reported on OX Security’s disclosure of a systemic STDIO transport flaw in Anthropic’s own reference implementation, described by researchers as “by design,” that affected 150+ million downloads across LettaAI, LangFlow, and Windsurf, with an estimated 200,000 vulnerable instances and at least ten linked CVEs. A path-traversal flaw in excel-mcp-server (CVE-2026-40576) made unauthenticated arbitrary file read and write trivial when the server ran on its default 0.0.0.0 bind. An nginx-ui MCP integration bug exposed 2,600+ public instances to authentication bypass and full takeover.

Every single one of those incidents fits Wallarm’s category breakdown. Broken auth. Over-broad scopes. Missing runtime enforcement. Insecure defaults. None of it required a PhD in adversarial ML.

Why the “control plane” framing matters

It’s tempting to read all of this as another wave of API breaches. The reason Wallarm’s report keeps emphasizing the protocol layer is what an MCP server actually controls.

A traditional REST API breach is bad. Whatever data is behind the endpoint can leak, and whatever actions the endpoint exposes can be invoked. The damage scales with the API.

An MCP server breach is a category up. Because MCP is the protocol agents use to choose and call tools, compromising it gives the attacker influence over a decision-making loop rather than a single endpoint. A poisoned tool description can rewrite which tools the agent prefers and the order it calls them in. A path-traversal in an MCP server can expose the entire ambient context the agent uses to reason about its next action.

This is the part Novikov is gesturing at when he calls MCP “the control plane API for agents.” Compromise the protocol and you’re handing the attacker partial control over an autonomous workflow the org has already decided to trust.

The blast radius scales with the agent’s authority, not the size of the database. If your agent can ship code or close support tickets, so can the attacker once they own the channel that tells the agent what to do.

Where Wallarm fits in the response

Wallarm itself has obvious skin in the game. The company’s platform extension to MCP and AI agents, announced over the last two quarters, is exactly the product story you’d expect a company publishing this kind of threat data to be telling. Discover servers in your environment, enforce policy in real time, test for the OWASP-aligned vulnerabilities the report keeps surfacing.

Worth naming plainly: Vendor research is rarely disinterested, and the 270% number works very hard for Wallarm’s go-to-market narrative.

But the underlying methodology (counting disclosed vulnerabilities, mapping them to OWASP categories, cross-referencing with CISA’s Known Exploited Vulnerabilities catalog, which showed 16% of entries were API-related in the period) is conservative compared to the wilder forecasts circulating in the AI security space. Independent researchers, including the academic team behind the DSN 2026 paper on MCP ecosystem security, are reporting similar pictures from completely different angles. The trend is real even after you discount for the marketing.

What changes for security teams in the next six months

If your organization is anywhere on the agentic AI curve, the practical implications of Wallarm’s findings are concrete. For context: Per Gartner’s August 2025 forecast, fewer than 5% of enterprise applications featured task-specific AI agents in production at the end of 2025, with Gartner expecting that to hit 40% by the end of 2026.

1. Treat MCP servers as privileged API endpoints, not as developer tools. The big enabler of most 2025 breaches was that MCP servers got deployed with the security posture of localhost utilities. They aren’t. Any MCP server reachable from a network, including supposedly “internal” agent runtimes, needs the same controls you’d put on a production OAuth provider: Scoped credentials, short-lived tokens, mTLS, full request logging.

2. Inventory before you mitigate. The Smithery breach and the Anthropic STDIO disclosure both relied on attackers knowing about MCP servers the operating organization had effectively forgotten. If you can’t enumerate every MCP server attached to your agents, including the ones that came in as transitive dependencies of an SDK or marketplace install, you’re not in a position to defend them. Discovery is the first project.

3. Scope tools to workflows, not to identities. Over-permissioning shows up in nearly every post-mortem. The model an agent is built around doesn’t need read access to your entire Drive because someone wired up “list files.” Each tool should expose the minimum capability for the specific workflow that needs it, and the agent’s identity shouldn’t silently inherit the human user’s full scope.

4. Assume tool descriptions are adversarial input. Tool poisoning attacks, where malicious instructions hide inside tool metadata that the agent reads but the human reviewer never sees, have a reported success rate above 60% across major LLM agents. Treat any tool description, schema field, or returned response from a third-party MCP server as untrusted text that needs the same input handling you’d apply to user content.

5. Put a human in the loop for destructive or cross-tenant actions. The hardest lesson of the 2025-2026 incident wave is that “the agent will figure it out” doesn’t survive contact with an attacker. Any action that crosses tenant boundaries, modifies infrastructure, sends external communications, or moves money should require explicit human confirmation, not just an internal model judgment.

6. Adopt the OWASP Multi-Agentic System Threat Model. The T-numbered threats (T2, T11, T21, T30, T40, T45, T47, and the rest) referenced throughout Wallarm’s checklist are turning into the shared vocabulary the industry will use. Mapping your own architecture against them now is cheaper than mapping it after an incident.

For the policy view of the same trend, see our coverage of the NSA’s May 2026 MCP security guidance, which puts a federal stamp on most of the controls Wallarm is recommending. For more on the underlying protocol problem, our earlier write-up on MCP as the backdoor zero-trust missed digs into the architectural piece. Our GitHub MCP security scanning and AI agent memory privacy pieces cover adjacent failure modes worth reading alongside Wallarm’s report.

The honest read

What Wallarm is describing is the predictable second act of every infrastructure rollout that has ever happened, compressed into a much shorter timeline because the underlying technology, autonomous agents calling tools through a standardized protocol, is useful enough that adoption keeps outrunning hardening.

The 270% number will get the headlines, and it should. But the more important figure in the report is the 52% of incidents traceable to broken authentication. That’s a discipline problem, not an AI problem, and one the industry already knows how to solve. We have OAuth. We have mTLS. We have least-privilege models. We have runtime API security.

What we don’t have yet is the muscle memory to apply all of that to a layer most security teams didn’t know existed in early 2024. The vendors with skin in this game (Wallarm, Endor Labs, Pillar Security, Authzed, the OX Security researchers, Microsoft’s own MCP security team) are publishing threat data, checklists, and detection logic fast enough that “we didn’t know” is no longer a defensible position.

The agents are going further into production every week. The protocol they speak is now control-plane infrastructure for a meaningful share of enterprise workflows. The breach reports have started, and they’re following an extremely familiar shape.

What Wallarm adds to the conversation is a hard-to-dismiss number. The dangerous thing is the gap between how fast we’re shipping MCP and how slowly we’re hardening it. Closing that gap is the work for the rest of 2026. The organizations that start now will be the ones writing post-mortems for incidents that didn’t happen.

Sources

• Wallarm Releases Q3 2025 API ThreatStats Report (press release)
• Wallarm Report Finds MCP Risks Surging 270 Percent (Channel Insider)
• Wallarm Highlights Emerging Security Challenges Around MCP-Driven AI Integrations (TipRanks)
• Comprehensive MCP Security Checklist (Wallarm Lab)
• A Timeline of Model Context Protocol Security Breaches (Authzed)
• Anthropic MCP Design Vulnerability Enables RCE (The Hacker News)
• A First Look at Security Issues in the MCP Ecosystem (arXiv, DSN 2026)
• Introducing the Model Context Protocol (Anthropic)