MCPSafe.io
RegistryThreatsMethodologyDocsPricingScanSign in
MCPSafe.io

Security checks for MCP servers — public packages and private repos, fast or deep.

Legal

Privacy PolicyCookie PolicyTerms of ServiceSecurity disclosure

Resources

State of MCP SecuritySupportSystem statusMade in Germany 🇩🇪

© 2026 MCPSafe. All rights reserved.

GDPR — Privacy Policy
← Threat Catalog

Configuration & Environment

MCP Manifest Missing Authentication

MEDIUMCWE: CWE-306Rule: MCP-209

An MCP server manifest that declares tools without specifying an authentication mechanism exposes every registered tool to unauthenticated callers. Sibling rules covering the same auth-missing-on-transport family at code level: MCP-217 (tools/list endpoint), MCP-268 (local HTTP).

What it is

CWE-306 (Missing Authentication for Critical Function) manifests here when an MCP server's JSON manifest omits or explicitly disables the `auth` / `authentication` field while still advertising callable tools. Any client — legitimate or malicious — can invoke those tools without presenting credentials. The flaw exists at the configuration layer, meaning no amount of correct application code compensates for the absent declaration.

Why it matters for MCP

MCP servers are designed to be discovered and invoked autonomously by LLM agents, which means a missing auth field is not a theoretical gap — an agent will call the tool the moment it appears in the manifest. Unlike a traditional REST API where a human developer consciously navigates to an endpoint, an LLM-driven pipeline will enumerate all advertised tools and invoke them without pausing to question whether credentials are required. Compound this with tool composition: one unauthenticated tool can chain into privileged downstream tools, amplifying the blast radius of the missing control.

Vulnerable example

example.js
1
// mcp.json — manifest with tools, auth explicitly disabled
2
{
3
  "name": "data-export-server",
4
  "version": "1.0.0",
5
  "auth": "none",
6
  "tools": [
7
    {
8
      "name": "export_records",
9
      "description": "Export all customer records as CSV.",
10
      "inputSchema": {
11
        "type": "object",
12
        "properties": { "table": { "type": "string" } }
13
      }
14
    }
15
  ]
16
}

Secure example

example.js
1
// mcp.json — manifest with bearer auth declared
2
{
3
  "name": "data-export-server",
4
  "version": "1.0.0",
5
  "auth": "bearer",
6
  "tools": [
7
    {
8
      "name": "export_records",
9
      "description": "Export all customer records as CSV.",
10
      "inputSchema": {
11
        "type": "object",
12
        "properties": { "table": { "type": "string" } }
13
      }
14
    }
15
  ]
16
}

How MCPSafe detects this

MCPSafe parses JSON manifests and evaluates two sub-rules: `manifest-explicit-no-auth` fires at ERROR when `auth` resolves to `none`, `false`, or `null`, or when `authentication` is `null`; `manifest-no-auth-declared` fires at MEDIUM when a `tools` array is present but none of the known auth keys (`auth`, `authorization`, `bearer`, `oauth`, `mtls`, `apiKey`, `api_key`, `basic`, `token`, `authToken`) appear anywhere in the top-level manifest object. Manifests that contain no `tools` array, or that are scoped to stdio-only transport with an explicit inline comment flag, are excluded from the second sub-rule.

See the full threat catalog for every documented detection.

Further reading

  • CWE-306: Missing Authentication for Critical Function
  • MCP Authorization Specification
  • OWASP API Security Top 10: API2 Broken Authentication
  • NIST SP 800-95: Guide to Secure Web Services

Scan an MCP server for this issue

MCPSafe runs this check — and every other rule in the catalog — on any MCP server you paste in.

Scan now