ALL MEMOS Download .docx

Key Insight

Two security reports from April 2026 materially change the MCP threat model:

1. OX Security (April 2026): Disclosed a systemic RCE vulnerability in all MCP SDK language implementations (Python, TypeScript, Go, Java). The attack surface is the MCP tool call input deserialization path. Patched in SDK updates released April-May 2026.

2. BlueRock Security (April 2026): Audited public MCP server registry — 36.7% carry SSRF vulnerabilities, 41% have no authentication at all, only 8.5% use OAuth. Community-sourced servers are disproportionately risky.

Streamable HTTP (replacing legacy SSE) adds a new attack surface: remote MCP servers are now internet-accessible services, not just local subprocesses.

The MCP ecosystem has 22,775 registered servers as of May 2026 (Glama), but the majority are forks, abandoned, or unpatched. The practical safe set is much smaller.

Action Items

• Audit TITAN's MCP server list: confirm all SDKs are updated past the OX Security patch date (April-May 2026).
• For any TITAN MCP server exposed via Streamable HTTP (not stdio), enforce OAuth — do not accept unauthenticated connections.
• When adding new community MCP servers, verify: (1) last commit date, (2) auth method, (3) whether it is a fork of an active maintained project.
• TITAN's local stdio MCPs (filesystem, memory, etc.) are not directly exposed to the SSRF vector — prioritize auditing any remote Streamable HTTP servers first.

Relevance

• TITAN infrastructure: TITAN runs multiple MCP servers. If any have migrated to Streamable HTTP transport, they need OAuth enforcement immediately.
• Security posture: The 41% no-auth stat applies to public servers; TITAN's internal servers are isolated, but the RCE SDK vulnerability applies universally until patched.