Bindfort Research

All research on
MCP security

Supply chain audits, vulnerability analysis, and threat research on the Model Context Protocol ecosystem - with full reproduce steps and raw data.

Runtime control - May 2026

Agent tool calls need receipts, not just logs

Production agent tool calls need authorization evidence that binds identity, policy, server state, and result.

May 25, 20264 min read

Production checklist - May 2026

MCP security checklist before production

A practical pre-production checklist for MCP servers: inventory, installed-tree scanning, tool scope, credentials, policy, and receipts.

May 24, 20266 min read

Runtime validation - May 2026

For MCP security, dependency presence is not the same as reachability

How to separate dependency-only MCP findings from issues that sit on real tool, transport, credential, or runtime paths.

May 23, 20266 min read

Local transport - May 2026

Localhost MCP servers still need Host and Origin validation

Localhost is a useful deployment boundary, but MCP HTTP servers still need explicit Host and Origin checks.

May 22, 20265 min read

Threat model - May 2026

What could happen if an agent uses a vulnerable MCP server?

A practical threat model for MCP server risk: tool reach, credentials, local transport, dependency trees, and audit receipts.

May 21, 20267 min read

Ecosystem audit - May 2026

The MCP package looked clean. The installed tree did not.

A 31-target audit across npm and PyPI found 1 issue at the package level and 69 in runtime dependency trees.

May 15, 20266 min read

Supply Chain / May 2026

5 of 5: Every Official MCP Server We Audited Carries Known-Vulnerable Transitive Dependencies

We scanned all five reference MCP servers in the official npm namespace. Every one carries two HIGH-severity advisories invisible to standard SCA tooling - because the vulnerable package is a transitive, not a top-level dependency.

May 6, 20268 min read

Advisory deep-dive / May 2026

The two GHSAs hiding across popular MCP servers

A technical breakdown of GHSA-8r9q-7v3j-jr4g (ReDoS) and GHSA-w48q-cv73-mx4w (DNS rebinding) - two HIGH advisories on @modelcontextprotocol/sdk that every official MCP server inherits transitively.

May 4, 20267 min read

Scan-depth / May 2026

PURL vs. npm-tree scanning: why standard SCA misses MCP transitives

Standard SCA tools query packages by PURL - declared name and version. MCP servers carry their vulnerabilities one level deeper, in transitives that PURL scans never reach. Walkthrough of the structural gap.

May 4, 20266 min read