The MCP Ecosystem Grew Fast — Security Did Not
The Model Context Protocol launched in late 2024. In under 18 months it became the standard way to connect AI tools to outside systems. By March 2026, the ecosystem covers database connectors, file servers, GitHub bridges, Slack clients, email tools, and hundreds of domain-specific servers.
The growth curve is steep. The security picture is not.
As of March 2026, 8,000+ MCP servers sit on the public internet. Researchers found 492 with zero authentication — no API key, no OAuth, no IP filter. Any HTTP client can call them. 36.7% of sampled servers are open to SSRF (Server-Side Request Forgery). That means an attacker who controls tool input can reach internal network resources.
In the same period, 30+ CVEs were filed in 60 days. That rate shows both how new the ecosystem is and how much researcher focus it gets.
Why the Protocol Creates PII Risk
MCP gives AI assistants the power to act on data. That is also why it is a PII risk.
When a developer uses Cursor or Claude Desktop with a database connector, the AI writes SQL from plain text. Those queries return real rows — names, emails, payment data, or other PII. That data moves through a chain:
- Database server → AI assistant's context window
- Context window → model provider's log systems
- Conversation history → developer's local machine
- Debug sessions → other AI tools when the developer pastes context
None of these steps is a breach. They are how the system works. But PII ends up in multiple places not built to hold it, often with no encryption between server and AI client.
CVE-2026-25253 (CVSS 8.8), published in February 2026, showed one attack path. A malicious endpoint could inject hidden instructions into its responses. Those instructions told the connected AI to pull data from other active tools. A developer using a bad community endpoint next to their own database connector could leak the whole database.
The 492 Zero-Auth Servers
The 492 open servers are a different problem from CVE-2026-25253. They were not hacked. They were set up wrong.
Most were meant to run locally. Someone exposed them via port forwarding or a cloud deploy with no access controls.
What these servers often expose:
- File system tools with read access to home folders
- Database connectors with live credentials in the config
- Email tools tied to real inboxes
- Code execution tools — arbitrary code, no auth, no limits
The developers almost certainly did not mean to expose them. But Cursor and Claude Desktop connect to any URL in the config. There is no built-in check for whether a host is local or public.
The anonym.legal MCP Solution
The structural fix for PII risk in tool pipelines is to anonymize data before it reaches any call that sends it to an LLM. This is what the anonym.legal MCP server provides.
It exposes 7 tools:
| Tool | Purpose |
|---|---|
analyze_text | Detect PII entities and return their positions and types |
anonymize_text | Strip or pseudonymize detected PII |
deanonymize_text | Reverse pseudonymization using your encryption key |
anonymize_batch | Process multiple texts in one call |
get_supported_entities | List all 285+ entity types for a given language |
get_supported_languages | List all 48 supported languages |
health_check | Verify connectivity |
When an AI assistant has both the anonym.legal server and a database connector configured, the developer can instruct: "Before showing any customer data, call anonymize_text on the result." The AI handles orchestration. PII never reaches the visible output or conversation history in identifiable form.
Cursor IDE Setup
To add the anonym.legal server to Cursor:
// .cursor/mcp.json
{
"mcpServers": {
"anonym-legal": {
"url": "https://anonym.legal/mcp",
"transport": "sse",
"headers": {
"Authorization": "Bearer YOUR_API_KEY"
}
}
}
}
Once configured, ask Cursor: "Analyze this support ticket for PII before I paste it into the tracker." Cursor calls analyze_text, returns the entity list, and you decide whether to anonymize before pasting.
Claude Desktop Setup
// claude_desktop_config.json
{
"mcpServers": {
"anonym-legal": {
"command": "npx",
"args": ["-y", "@anonym-legal/mcp-server"],
"env": {
"ANONYM_API_KEY": "YOUR_API_KEY"
}
}
}
}
With this config, Claude Desktop can anonymize any text before including it in tool calls sent to other servers. The anonymization runs in your session. PII never reaches Anthropic's servers in identifiable form.
Hardening Your Setup
Beyond using anonym.legal, apply these steps. See also our security overview and compliance center.
Audit your tool list. Check every entry in your config. For each one, ask: do you trust the operator? Do you know what data it can reach?
Prefer local over remote. Local servers run via stdio. They create no network exposure. Use remote servers only when no local option exists.
Check authentication. Every remote server should require an API key or OAuth token. If it does not, do not use it with real user data.
Separate dev from production. Keep separate configs for dev work (test data, no PII) and any flow that touches real users.
Enable audit logging. If it supports logs, turn them on. Know what data went through each call.
See our MCP features page for a full list of entity types and languages.
The 30+ CVEs in 60 days show the protocol is under active scrutiny. New bugs will appear. But the core defense — anonymize before data reaches any LLM call — works against any specific CVE that comes next.
Configure the anonym.legal server in Cursor →
anonym.legal processes PII anonymization server-side using your encryption key. Pseudonymized data is reversible only with that key. Published by anonym.legal, ISO 27001 certified.
Sources
- Shodan MCP server exposure data, March 2026 — 8,000+ servers, 492 zero-auth
- CVE-2026-25253, CVSS 8.8, cross-server injection via Model Context Protocol
- SSRF data: security research scan of publicly accessible endpoints, March 2026
- Anthropic MCP specification v1.2, security considerations section