Every AI tool you use today has a dirty secret: it probably can’t talk to anything else.

Ask your AI assistant to check your calendar, pull the latest issue from your GitHub repo, or search your company Slack — and you’ll hit a wall. Connecting an AI to an external system requires custom code, built separately, maintained separately, and reimplemented every time someone builds a new tool. For years, the AI industry had an M×N problem: M AI assistants times N data sources equals an ungodly number of one-off connectors. Nobody was solving the plumbing. Everyone was too busy racing to make the plumbing unnecessary.

That’s the problem Model Context Protocol was designed to fix. Whether it introduces a worse one is a separate conversation.

What Is Model Context Protocol and How Does It Work?

Anthropic announced MCP on November 25, 2024, as an open standard for connecting AI models to external tools and data. The protocol handles the plumbing: how an AI assistant discovers what tools are available, how it calls them, how results come back. The analogy that’s stuck — and it’s genuinely apt — is USB-C. Before USB-C, you needed a different cable for every device. MCP is trying to be the cable standard for AI integrations.

Under the hood, it runs on JSON-RPC 2.0 and borrows from the Language Server Protocol — the same underlying framework that made VS Code’s extension ecosystem work so well. Client-server model: MCP Servers expose tools and data; MCP Clients (AI apps like Claude Desktop, Cursor, VS Code with Copilot) connect to them. Anthropic shipped the spec with SDKs in 11+ languages and pre-built servers for GitHub, Slack, Google Drive, and Postgres on day one.

The governance piece matters. In December 2025, Anthropic donated MCP to the Agentic AI Foundation — a Linux Foundation directed fund co-founded by Anthropic, OpenAI, and Block, with AWS, Google, Microsoft, and Cloudflare as supporting members. That’s not a consortium you assemble for a spec you plan to abandon. When OpenAI’s Sam Altman said “people love MCP and we are excited to add support across our products”, he wasn’t being polite. OpenAI adopted MCP across its Agents SDK and Responses API in March 2025. Google DeepMind confirmed support for Gemini models in April 2025.

I’ve watched enough protocol launches fizzle that the cross-vendor adoption in under 18 months genuinely surprised me.

The AI Tools You Already Use Are On MCP

When a protocol earns adoption from GitHub, Slack, Notion, Figma, Jira, Confluence, Stripe, and Shopify in its first year, something real is happening. The Anthropic launch announcement named Block, Apollo, Zed, Replit, Codeium, and Sourcegraph as early adopters — heavy on developer tools. But MCP spread faster than its initial constituency.

By late 2025, per Pento’s year-end MCP review, the ecosystem had crossed 97 million monthly SDK downloads across Python and TypeScript alone, with over 10,000 active MCP servers running. Figma’s MCP integration was pulling 23,000 monthly searches. Playwright’s was at 35,000. There’s now an official community registry.

For end users, the practical upshot: AI assistants connected via MCP can create and manage GitHub issues, send Slack messages, read and write Notion pages, run database queries. The AI does the reasoning. MCP does the pipes. If you’ve been building AI agents into your workflow, understanding MCP is increasingly non-optional — it’s the layer those agents run on.

The MCP Security Record Is Not Reassuring

Here’s where I have to pump the brakes.

Between April and October 2025, there were at least nine documented security incidents involving MCP servers. Not theoretical vulnerabilities — actual exploits, actual damage. A partial list, sourced from AuthZed’s MCP security timeline:

  • April 2025: A malicious MCP server combined tool poisoning with a legitimate WhatsApp server to exfiltrate private chat history to an attacker-controlled number.
  • May 2025: A GitHub MCP prompt injection hijacked an AI assistant to pull data from private repositories — including financial and salary data — and leak it to a public repo.
  • July 2025: CVE-2025-6514 (CVSS 9.6), a critical command injection bug in the mcp-remote OAuth proxy, hit 437,000+ downloads. API keys, cloud credentials, SSH keys stolen.
  • October 2025: A path-traversal bug in Smithery’s MCP hosting leaked a Fly.io API token controlling more than 3,000 applications.

A vulnerability scan of public MCP servers by the vulnerablemcp.info research project found that 43% contain command injection vulnerabilities enabling remote code execution, 43% have flawed OAuth flows, and 33% allow unrestricted network access. A Practical DevSecOps analysis of open-source MCP repositories put the tool-poisoning problem in starker terms: 5% of open-source MCP servers are already seeded with malicious tool descriptions designed to hijack AI assistants.

The root cause isn’t surprising if you’ve watched new protocols mature before. Security was an afterthought. The design prioritized simplicity and developer adoption above all else. Authentication is recommended, not enforced. There’s no mechanism for verifying message integrity in transit. Tool descriptions — which AI models read to decide what to call — can be manipulated to inject malicious instructions, a class of attack called “tool poisoning.”

Dhanji R. Prasanna, CTO at Block, called MCP “the bridge that connects AI to real-world applications, ensuring innovation is accessible, transparent, and rooted in collaboration” at the November 2024 launch. That’s not wrong. Bridges have weight limits, and this one is still learning its.

What Model Context Protocol Means If You’re Not a Developer

MCP servers you install have significant access. That’s the sentence to hold onto.

An MCP server connected to your GitHub account can read your repos. One connected to Slack can read your messages. One connected to your file system — which several popular MCP servers are — can read your files. The security of those connections depends almost entirely on the quality of the individual server implementation, which as the 2025 track record shows, varies dramatically even among widely-used packages.

The November 2025 protocol update added stateless operation, server identity verification, and async operations — material improvements to the security model. The community registry now provides a cleaner evaluation path before you install something. These changes matter.

But the ecosystem is still young. Unvetted community MCP servers deserve the same skepticism you’d apply to an unvetted browser extension. If you don’t know who built it, what version it’s running, and whether it’s been audited, don’t grant it access to your production accounts. This applies even if you found it through a popular vibe-coding or AI development setup — the convenience pipeline and the security pipeline are not the same pipeline.

The productivity upside is real: MCP-enabled AI workflows are already doing work that previously required custom development. For power users who vet their sources carefully, those gains are legitimate and substantial.

The Actual State of MCP in 2026

MCP solved a genuine infrastructure problem. The M×N connector nightmare was real, and having a common protocol that every major AI vendor has committed to is a meaningful win for the ecosystem. Anthropic’s decision to open-source it first and then donate governance to a neutral foundation was exactly right — it’s what turns a vendor tool into actual shared infrastructure.

Where we are in early 2026: MCP is critical infrastructure in early adolescence. It works. The tools built on it work. The vendor commitments are credible. The security record is also real, and the security work is ongoing rather than complete. Enterprise IT teams that deploy MCP without understanding the attack surface are taking on risk they probably haven’t quantified yet.

If you’re a developer, the window to get ahead of this is now. The tooling is good, the documentation has improved considerably since launch, and MCP fluency will matter in the same way that REST API fluency mattered a decade ago. If you’re an end user encountering MCP-enabled features in tools you already use, the bar is simpler: verify the MCP server is from a vetted source, check what access it’s requesting, and don’t install things from the community registry without doing fifteen minutes of homework first.

The protocol is not going away. The security work is not done. That’s a fairly honest account of 15 months of fast-moving infrastructure history.

Sources: