Skip to content

Access Control: MCP Server Accessible Without Authentication

Identifier: mcp_unauth

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner ASM Scanner

Description

MCP servers accessible without authentication allow anyone with network access to execute available MCP tools, potentially leading to unauthorized access, data exposure, or system compromise.

How we test: We attempt to access MCP server endpoints without authentication and analyze responses to detect if the server accepts unauthenticated requests. We check if authentication is properly enforced and if MCP tools can be executed without proper authorization.

Configuration

Example

Example configuration:

---
security_tests:
  mcp_unauth:
    skip: false

Reference

skip

Type : boolean

Skip the test if true.