the open-tool gap · 2026 edition

The State of MCP Servers · 2026

Name: The State of MCP Servers · 2026
Creator: Legit.Show
Published: 2026-06-12T15:00:00+00:00

MCP is the newest way to give an AI tools — and 27 of the servers in our catalog were scanned straight from their repositories. The protocol is young; the production hygiene shows it.

53%

of MCP servers no authentication — according to Legit.Show

The findings

No rate limiting — 93%
One caller can hammer the server or run up the bill.
No error tracking — 81%
Failures happen silently — nobody finds out.
No authentication — 53%
The server runs tools for anyone who can reach it — no API key, no token.
Committed .env — 4%
Credentials checked into the repo.
Leaked secret — 0%
A secret key shipped in the code — anyone can steal it.

Why MCP is the scary one

An MCP server hands an AI the keys to *do things* — read files, hit APIs, run code. When one ships with no authentication, anyone who can reach it gets those keys too. This is the newest category, with the least settled security culture, and zero prior measurement.

A young protocol

These aren’t bad engineers — MCP barely existed a year ago. The point isn’t blame; it’s that "exposes tools to an AI" and "has no auth" should never be true at once, and right now they often are.

How this was measured →