2026-03-26
mcp ยท security ยท agents

OWASP MCP Top 10: Gateways Solve Access. No One Solves Accountability.

The first formal security framework for the Model Context Protocol quantifies the problem precisely. 492 exposed servers, zero auth. 78% attack success from one bad server. The consensus solution is necessary but incomplete.

In March 2026, OWASP published the first formal security framework for the Model Context Protocol: the MCP Top 10. It didn't arrive in a vacuum.

In the 60 days before publication: 30+ CVEs in the MCP ecosystem. 492 exposed servers with zero authentication discovered by Trend Micro. A Palo Alto Unit 42 study demonstrating 78.3% attack success rates from a single compromised server in a five-server mesh. And postmark-mcp โ€” the first confirmed malicious MCP server โ€” silently exfiltrating data for weeks before anyone noticed.

The OWASP MCP Top 10 is the industry's response to a threat surface that emerged faster than anyone planned for. It names Token Mismanagement as the #1 risk. It recommends gateways, allow-lists, and input sanitization throughout.

All of that is correct. And none of it addresses the accountability gap.

What the Numbers Actually Say

Trend Micro ยท 2026
492 exposed MCP servers with zero authentication
Nearly 500 MCP servers running on the public internet with no authentication layer at all. Not dev environments that got accidentally promoted โ€” deployed without any attempt at access control. Any agent, legitimate or not, could connect and call any tool.
Palo Alto Unit 42 ยท 2026
78.3% attack success rate from one compromised server in five
Unit 42 set up a realistic five-server MCP environment and compromised one. The attack success rate across the entire mesh: 78.3%. The blast radius of a single compromised MCP server isn't one server. It's your entire connected tool surface.
First confirmed malicious MCP server
postmark-mcp: silent exfiltration for weeks
The first confirmed malicious MCP server didn't announce itself. It functioned as a normal email tool while quietly forwarding email contents, recipient data, and behavioral patterns to an external endpoint. Detection was behavioral anomaly analysis done by humans reviewing outgoing traffic โ€” not a technical control. There was no signed audit trail for agent actions.

The Consensus Response

Every serious MCP security recommendation after OWASP converges on the same set of controls:

Gateways โ€” route agent traffic through a controlled proxy that enforces policy. Aurascape, Keycard, and enterprise solutions from Cisco and Palo Alto all play here. Allow-lists โ€” define explicit lists of permitted MCP servers and tools. Agents can only call what's on the list. Input sanitization โ€” validate and sanitize all inputs before passing to MCP tools. Short-lived credentials โ€” issue time-limited, task-scoped tokens. Revoke when the task completes.

These are the right controls. They address access โ€” who gets to connect to what, under what conditions.

They don't address accountability.

The Accountability Gap

Gateways answer: "Was this agent allowed to do this?"

Accountability answers: "Who is responsible for what this agent did?"

These are different questions. And after the postmark-mcp incident, the question everyone wanted to answer was the second one.

When a malicious MCP server causes an agent to take an action โ€” send emails, exfiltrate data, modify records โ€” the accountability question is:

  • โ†’ What did the agent actually do? In what order? At what time?
  • โ†’ Which agent account or identity was involved?
  • โ†’ Who is the human owner accountable for this agent?
  • โ†’ Can I prove this to an auditor, a regulator, or a court?

With current MCP infrastructure, the answer to most of these questions is: check your logs and hope you kept them. There's no cryptographic record. No chain of custody. No signed audit trail that an auditor can verify independently. No identity model that traces agent actions to an accountable human.

Gateways can block the postmark-mcp attack โ€” if they knew it was malicious before deploying it (they didn't). After weeks of silent exfiltration, accountability requires being able to reconstruct exactly what happened and prove who is responsible. That reconstruction was painful and incomplete. It will be painful and incomplete in the next incident too, unless the accountability layer exists from the start.

What an Accountability Layer Looks Like

The accountability layer is not the same as access control. It runs in parallel. It answers different questions.

For every agent action: a signed record of which agent, which tool, which inputs, which output, what time. Signed with Ed25519 โ€” tamper with the log and the signature breaks. Hash-chained โ€” delete or reorder records and the chain breaks. Exportable โ€” hand an auditor a JSONL file with a verification key; they verify independently.

For every agent identity: an accountable human owner in the cryptographic chain. Not a checkbox on a form โ€” a provenance relationship through API key issuance. When an agent acts, the trail leads to a human.

For revocation: a kill switch that works โ€” revoke the API key, and the agent's identity is revoked. Not just "block the agent at the gateway" โ€” the identity itself becomes invalid. The audit trail remains, with the revocation event recorded.

Why This Matters for MCP Server Builders

If you're building an MCP server, the OWASP Top 10 tells you what to defend against. But it doesn't tell you how to prove, after the fact, that your server behaved correctly โ€” or that a connected agent acting in your name didn't.

The standard pattern today: your MCP server receives tool calls, executes them, returns results. You have application logs. That's it. If a connected agent is compromised and starts using your server as an attack vector, you have no cryptographic record of what your server was asked to do. No proof that the tool calls came from the expected agent identity. No chain that leads to an accountable human on the other end.

The OWASP framework is about securing the protocol. The accountability layer is about securing what happens after the protocol succeeds โ€” when an authorized agent, using authorized tools, causes harm anyway.

The Practical Gap

Control What it answers Who ships it
Gateway + allow-list Was this agent allowed to connect? Aurascape, Keycard, Cisco
Input sanitization Was this input safe to process? Framework-level
Short-lived credentials Can this credential be quickly revoked? Keycard, AWS STS
Signed audit trail What did this agent actually do? Gap โ€” few ship this
Human accountability chain Who is responsible? Gap โ€” almost no one
Independent verification Can I prove it to an auditor? Gap โ€” design problem

Gateways and allow-lists will be widely adopted in 2026. The accountability layer will be the gap that remains after they are. Every incident investigation โ€” and there will be incidents โ€” will surface this gap.

The structural issue: The OWASP framework addresses how agents are authorized. It doesn't address what those agents do after authorization succeeds. The postmark-mcp attack wasn't an authorization failure โ€” the server was legitimately deployed and legitimately connected. The failure was that no one could answer, weeks later, exactly what it had done. That's an accountability architecture problem, not an access control problem.
ยท ยท ยท

OWASP MCP Top 10 was published in March 2026. The 492 exposed servers stat is from Trend Micro; the 78.3% compromise rate is from Palo Alto Unit 42. postmark-mcp is the first confirmed malicious MCP server in the public record. AgentLair is building the accountability layer described above โ€” Ed25519-signed, hash-chained event logs, human owner in the API key provenance chain.