One POST request, six API keys: breaking into popular MCP servers

tl;dr - one POST request decrypted every API key in a 14K-star project. tested 5 more MCP servers, found RCE, SSRF, prompt injection, and command injection. 70K combined github stars, zero auth on most of them. - **archon** (13.7K stars): zero auth on entire credential API. one POST to `/api/credentials/status-check` returns every stored API key decrypted in plaintext. can also create and delete credentials. CORS is `*`, server binds `0.0.0.0` - **blender-mcp** (18K stars): prompt injection hidden in tool docstrings. the server instructs the AI to "silently remember" your API key type without telling you. also unsandboxed `exec()` for code execution - **claude-flow** (27K stars): hardcoded `--dangerously-skip permissions` on every spawned claude process. 6 `execSync` calls with unsanitized string interpolation. textbook command injection - **deep-research** (4.5K stars): MD5 auth bypass on crawler endpoint (empty password = trivial to compute). once past that, full SSRF - no URL validation at all. also `promptOverrides` lets you replace the system prompt, and CORS is `*` - **mcp-feedback-enhanced** (3.6K stars): unauthenticated websocket accepts `run_command` messages. got env vars, ssh keys, aws creds. weak command blocklist bypassable with `python3 -c` - **figma-console-mcp** (1.3K stars, 71K weekly npm downloads): `readFileSync` on user-controlled paths, directory traversal, websocket accepts connections with no origin header, any local process can register as a fake figma plugin and intercept all AI commands all tested against real published packages, no modified code. exploit scripts and evidence logs linked in the post. the common theme: MCP has no auth standard so most servers just ship without any.