Auditing a Model Context Protocol (MCP) server in 2026 requires a shift from traditional web auditing to Agentic Security Auditing. Since an LLM acts as the user of your server, you must audit not just the code, but the “instructions” and “boundaries” presented to the AI.
Here is the professional workflow for conducting a comprehensive MCP server audit.
1. Discovery & Tool Inspection
The first step is to see exactly what the AI sees. A malicious agent or a prompt injection can only exploit what is exposed in the tool definitions.
- Use the MCP Inspector: Run
npx @modelcontextprotocol/inspectorto launch a local GUI. Connect your server and inspect the Tools tab. - Audit Tool Descriptions: Check if the descriptions are too “helpful.”
- Bad: “This tool runs any bash command.”
- Good: “This tool lists files in the
/publicdirectory only.”
- Schema Strictness: Ensure every tool uses strict JSON Schema. AI agents are prone to “hallucinating” extra arguments; your server should reject any input that doesn’t perfectly match the schema.
2. Static Analysis (The “Code” Audit)
Since most MCP servers are written in TypeScript or Python, use standard security scanners with MCP-specific rules.
- Dependency Check: Use
npm auditorpip-audit. MCP is a new ecosystem; many early community servers use outdated, vulnerable libraries. - Path Traversal Check: This is the #1 vulnerability in MCP (found in 80% of filesystem-based servers).
- Audit Task: Search your code for
fs.readFileoropen(). Ensure user-provided paths are sanitized usingpath.resolveand checked against a “Root” directory.
- Audit Task: Search your code for
- Command Injection: If your tool executes shell commands (e.g., a Git or Docker tool), ensure inputs are passed as arrays, never as strings.
- Vulnerable:
exec("git log " + user_input) - Secure:
spawn("git", ["log", user_input])
- Vulnerable:
3. Runtime & Behavioral Auditing
In 2026, we use eBPF-based monitoring or MCP Gateways to watch what the server actually does during a session.
- Sandbox Verification: Run the server in a restricted Docker container. Audit the
Dockerfileto ensure it runs as a non-root user (USER nodeorUSER python). - Network Egress Audit: Does your server need to talk to the internet? If it’s a “Local File” tool, use firewall rules (or Docker network flags) to block all outgoing traffic. This prevents “Data Exfiltration” where an AI is tricked into sending your files to a remote server.
- AIVSS Scoring: Use the AI Vulnerability Scoring System (AIVSS) to rank findings. A “Prompt Injection” that leads to a file read is a High; a “Prompt Injection” that leads to a shell execution is Critical.
4. The 2026 Audit Checklist
If you are performing a formal audit, ensure you can check “Yes” to all of the following:
| Category | Audit Check |
| Authentication | Does the server require a token for every request (especially for HTTP transports)? |
| Sanitization | Are all LLM-generated arguments validated against a regex or allowlist? |
| Least Privilege | Does the server only have access to the specific folders/APIs it needs? |
| Human-in-Loop | Are “Write” or “Delete” actions flagged to require manual user approval in the client? |
| Logging | Does the server log the User ID, Tool Name, and Arguments for every call? |
5. Automated Auditing Tools
To speed up the process, you can use these 2026-standard tools:
- mcpserver-audit: A GitHub-hosted tool that scans MCP source code for common dangerous patterns (like unparameterized SQL or open shell calls).
- Trivy / Docker Scout: For scanning the container image where your MCP server lives.
- Semgrep (MCP Ruleset): Use specialized Semgrep rules designed to find “AI Injection” points in Model Context Protocol implementations.
Multi-Layered Test Plan.
To perform a professional audit of an MCP server in 2026, you should follow a Multi-Layered Test Plan. Since MCP servers act as “Resource Servers” in an agentic ecosystem, your audit must verify that a compromised or malicious AI cannot “break out” of its intended scope.
Here is a 5-step Security Test Plan for an MCP server.
1. Static Analysis: “The Code Review”
Before running the server, scan the source code for common “agent-trap” patterns.
- Check for
shell=True(Python) orexec()(Node.js): These are the most common entry points for Remote Code Execution (RCE).- Test: Ensure all CLI tools use argument arrays instead of string concatenation.
- Path Traversal Audit: Look for any tool that takes a
pathorfilenameas an argument.- Test: Verify that the code uses
path.resolve()and checks if the resulting path starts with an allowed root directory. - Common Fail: Using simple string
.startsWith()without resolving symlinks first (CVE-2025-53109).
- Test: Verify that the code uses
2. Manifest & Metadata Audit
The LLM “sees” your server through its JSON-RPC manifest. If your tool descriptions are vague, the LLM might misuse them.
- Tool Naming: Ensure tool names use
snake_case(e.g.,get_user_data) for optimal tokenization and clarity. - Prompt Injection Resilience: Check if tool descriptions include “Safety instructions.”
- Example: “This tool reads files. Safety: Never read files ending in .env or .pem.“
- Annotations: Verify that “destructive” tools (delete, update, send) are marked with
destructiveHint: true. This triggers a mandatory confirmation popup in modern MCP clients like Cursor or Claude Desktop.
3. Dynamic “Fuzzing” (The AI Stress Test)
In 2026, we use tools like mcp-sec-audit to “fuzz” the server. This involves sending nonsensical or malicious JSON-RPC payloads to see how the server reacts.
| Test Scenario | Payload Example | Expected Result |
| Path Traversal | {"path": "../../../etc/passwd"} | 403 Forbidden or Error: Invalid Path |
| Command Injection | {"cmd": "ls; rm -rf /"} | The server should treat ; as a literal string, not a command separator. |
| Resource Exhaustion | Calling read_file 100 times in 1 second. | Server should trigger Rate Limiting. |
4. Sandbox & Infrastructure Audit
An MCP server should never “run naked” on your host machine.
- Docker Isolation: Audit the
Dockerfile. It should use a distroless or minimal image (likealpine) and a non-root user. - Network Egress: Use
iptablesor Docker network policies to block the MCP server from reaching the internet unless its specific function requires it (e.g., a “Web Search” tool). - Memory/CPU Limits: Ensure the container has
cpus: 0.5andmemory: 512mblimits to prevent a “Looping AI” from crashing your host.
5. OAuth 2.1 & Identity Verification
If your MCP server is shared over a network (HTTP transport), it must follow the June 2025 MCP Auth Spec.
- PKCE Implementation: Verify that the server requires Proof Key for Code Exchange (PKCE) for all client connections. This prevents “Authorization Code Interception.”
- Scope Enforcement: If a user only authorized the
read_onlyscope, ensure the server rejects calls todelete_recordeven if the token is valid. - Audit Logging: Every tool call must be logged with:
- The
user_idwho initiated it. - The
agent_idthat generated the call. - The exact
argumentsused.
- The
Pro-Tooling for 2026
- MCP Inspector: Use
npx @modelcontextprotocol/inspectorfor a manual “sanity check” of your tools. - Snyk / Trivy: Run these against your MCP server’s repository to catch vulnerable 3rd-party dependencies.
Would you like me to help you write a “Safety Wrapper” in Python or TypeScript that automatically validates all file paths before your MCP server processes them?
Infra Cloud Solutions 