An MCP server exposed on a public port answers anyone
The concrete risk is narrow and serious: an MCP server reachable on a public port with no authentication will accept tool calls from anyone who finds it. Model Context Protocol is the wiring that lets an AI agent call tools, read resources, and run actions. If that server is bound to a public address and does not check who is calling, the tools it exposes are open to the internet, not just to your agent.
What that means in practice depends on what the server can do. An MCP server that only exposes read-only lookups leaks data when it is open. One that exposes file access, database queries, shell commands, or third-party API calls hands those same capabilities to whoever reaches the port. The agent does not have to be tricked; the caller talks to the MCP server directly and asks it to run the tools.
Separate what is observable from what is only possible. Observable from outside: whether a port is open, whether it speaks the MCP protocol, and whether it answers a request that carries no credentials. Only possible, and not provable from the outside: exactly which tools are wired up, what they touch, and whether a given call would cause real damage. The open, unauthenticated response is the signal worth acting on; the blast radius is something you confirm from your own config.
- This is primarily a missing-authentication problem. CWE and OWASP track it under broken authentication and missing access control; the MCP server cannot tell a legitimate agent from a stranger.
- Authentication is who is calling. Authorization is what that caller is allowed to do. An exposed MCP server usually fails the first; even one that adds a login can still get the second wrong.
- A server bound to localhost or a private network is not reachable from the public internet, which is the safer default for most setups.
Why AI-built apps ship this
Agentic builders make standing up an MCP server easy, and the easy path optimizes for the tool working, not for who can reach it. When you ask an AI tool to add a capability, it generates a server, wires the tools, and runs it so the agent can call it on the first try. The fast way to make that work across a deploy is to bind to a host address rather than localhost, and to skip the auth layer because the agent and the server were talking fine without it in development.
That collides with quick deploys. Locally, the MCP server on a loopback address is invisible to the outside, so the missing auth never bites. The moment the same setup ships to a host with a public IP or a mapped container port, the loopback assumption is gone and the port faces the internet. Nothing in the generate-and-run loop forces a step where someone decides the server should require credentials and bind privately.
- The server works for the agent in development, so the missing auth looks like a non-issue.
- Binding to a public interface is often the generated default that makes a containerized or hosted deploy reachable at all.
- Fast deploy means the public surface exists before anyone audits which ports answer and what they expose.
Check whether your MCP endpoint answers unauthenticated
You can confirm this on your own deployment without attacking anything. Work from the outside in, against hosts you own.
Start with what is listening. From your deploy host or container, list the listening sockets and note which MCP-related ports are bound to a public interface versus localhost. A port bound to 127.0.0.1 is private; a port bound to 0.0.0.0 or a public IP is reachable from outside if a firewall or security group does not block it. Then check the same port from a machine outside your network to see whether it actually answers.
If the port answers from outside, send one unauthenticated request that the MCP protocol uses to enumerate capabilities, such as a request to list available tools, with no token or key attached. You are looking only at whether it responds, not running any of the tools it lists.
- Suspicious result: an outside request with no credentials gets a valid MCP response, for example a list of tools or a successful initialize. That means the server is both public and unauthenticated.
- Safer result: the connection is refused, times out, or the server returns an authentication or authorization error before doing any work. A refused connection from outside, with the server only answering on localhost, is the expected outcome for a private binding.
- Check the transport too. An MCP server reached over plain HTTP on a public host can be read in transit; one behind a reverse proxy still needs its own auth, because the proxy passing the request through is not the same as the server checking who sent it.
Bind it privately and require auth, and know the gap
There are two controls, and the binding one is the safe place to land first.
Bind the MCP server to localhost or a private network interface so the public internet cannot reach it at all. If the agent and the server run on the same host or in the same private network, they do not need a public port. Where the server must be reachable across a network, put it behind a gateway that terminates connections and enforces authentication, and require a credential on every MCP request rather than trusting network position alone.
Then add authentication and a tool-permission model. Authentication answers who is calling. The permission model decides which tools that caller may invoke and with what scope, so a valid caller still cannot run every tool the server happens to expose. Treat any tool that writes data, runs commands, or spends money as needing the tightest scope.
- Bind private first, even before the auth layer is perfect. A server the internet cannot reach is not exposed.
- Require a credential on every request; do not rely on the port being obscure or on a private network alone if the port is mapped out.
- Scope tool permissions so authentication does not silently grant authorization to everything.
Binding privately and adding a token stop anonymous strangers from reaching the server. They do not stop a caller who already holds a valid token from misusing the tools, and they do not address prompt injection, where untrusted content steers your own agent into calling tools it should not. Those are separate problems; see prompt injection in AI-built apps. Authentication and a network boundary are necessary, not sufficient.
Where VibeCodeGuard fits, and what it does not prove
VibeCodeGuard's Launch Check looks at your public surface. If an MCP endpoint answers on the public surface without authentication, the scan can flag that as a weak signal: a port that responds to an unauthenticated request when it probably should not be reachable at all. That points you at the exposure so you can bind it privately or put it behind auth before the URL spreads. It checks what an outside visitor can actually reach.
What it does not do is confirm your tool-permission model or trace your auth flow. Whether each tool is correctly scoped, whether your authentication is sound, and whether a valid caller is held to the right authorization all need manual review of your code and configuration. The scan sees the door; it does not audit the rooms behind it. For the deploy-side angle on how agentic builders expose these servers, see MCP server exposure in AI agent deploys, and for the broader pattern of open endpoints, see unauthenticated API endpoints in AI-built apps.
Next step: list the listening ports on your deploy host, confirm every MCP server is bound to localhost or a private interface, and run a focused Launch Check against the public URL before sharing it, so an exposed endpoint shows up in your scan and not in someone else's.
A clean Launch Check on the public surface does not prove your MCP setup is safe. The scan signals what is reachable and unauthenticated from outside; it cannot verify that your permission model is correct or that an authenticated caller is properly constrained. Treat a flagged endpoint as a launch blocker, and treat a clean result as one signal among several.
> launch check
Scan the public surface before launch.
Get severity, evidence, and practical fix guidance for the checks VibeCodeGuard can run from the outside.