We Looked at 23,451 MCP Servers. 66% Had Security Findings. Here Are the 18 We'd Trust.

Glama.ai lists 23,451 Model Context Protocol servers. PulseMCP curates 8,013. Smithery hosts roughly 6,000. mcp.so claims 16,000. Numbers vary wildly because no one agrees what counts: a working GitHub repo? A registered server in the official registry.modelcontextprotocol.io metadata index? A line in punkpeye/awesome-mcp-servers (86.8k stars)? They are not the same set.

What everyone does agree on is that quality is brutal. Snyk's ToxicSkills report identified the first coordinated malware campaign targeting Claude Code users in February 2026. Trend Micro's network exposure scan found 492 MCP servers reachable on the public internet with no authentication or TLS. Between January and February 2026, security researchers filed over 30 CVEs against MCP servers, clients, and proxy infrastructure. Bloomberry's methodical audit of 1,412 servers found 38.7% accept connections with no authentication, 22.9% have unrestricted CORS, and only 2.4% implement rate limiting.

Across the studies we read, the rough quality distribution is: 66% of scanned servers have at least one security finding, 13% have something that would block a corporate review, and a thin top tier (under 5%) is actually safe to wire up to an agent that touches private data. This post names that top tier.

How we picked the 18

We worked through the corpus in three passes.

Pass 1 — provenance. We threw out anything not maintained by the vendor whose data it touches, an Anthropic reference implementation, or a maintainer with a track record of shipping security fixes inside two weeks. That eliminates roughly 85% of the long tail immediately. Pass 2 — auth and transport. We required OAuth 2.1 or a properly scoped API key for any server with write capability, and we required Streamable HTTP or stdio (no plain SSE, no plain HTTP). The MCP spec deprecated SSE in favor of Streamable HTTP in March 2025 and servers that still expose only SSE are dragging. Pass 3 — disclosure history. We checked each repo's issues and CHANGELOG for the CVEs that hit this ecosystem during 2025–2026: CVE-2025-6514 (mcp-remote command injection, CVSS 9.6), CVE-2025-54136 ("MCPoison" tool-description tampering against Cursor), CVE-2025-53109 and CVE-2025-53110 ("EscapeRoute" filesystem escapes against Anthropic's reference filesystem server), the WhatsApp MCP tool-poisoning incident, the Asana cross-tenant exposure, and the Postmark supply-chain impersonation. A server that ignored the disclosure or shipped a half-fix did not make the list.

The remaining 18 are the servers we would install today on a laptop with our git credentials, our employer's Slack token, and our Stripe live key on it. Each one is grouped by job-to-be-done.

Databases and analytics

1. crystaldba/postgres-mcp — replacement for Anthropic's archived @modelcontextprotocol/server-postgres. The original was archived in 2025 with a known COMMIT; DROP TABLE SQL-injection bypass that has never been fixed in the archived branch. crystaldba's replacement adds parameterized query enforcement, optional read-only mode, and explicit table-allowlist support. Use it. (Glama category) 2. supabase-community/supabase-mcp — official-community implementation. Caveat we'd cite in any onboarding doc: Supabase explicitly says this is for development and testing, not production. The server has full data-plane access and there is no row-level-security model that survives MCP tool calls. Use it locally; do not point it at prod.

Source control and code

3. github/github-mcp-server — the official replacement after @modelcontextprotocol/server-github was archived. Fine-grained PAT support, scope review on first run, repo-allowlist via env var. The April 2026 prompt-injection issue (issue tracker description injecting tool calls) has a documented mitigation: turn off auto-respond on issue triage. 4. gitmcp.io — read-only Git server backed by a hosted indexer. Useful when you need a coding agent to read a public repo without cloning it. Public-only; do not feed it private repo URLs.

Browser automation

5. microsoft/playwright-mcp — Microsoft's official Playwright bridge. The agent gets browser.click, browser.fill, browser.screenshot, and snapshotting; it does not get raw shell access. We prefer it to the reference Puppeteer server because the sandbox is tighter and the maintainer ships fixes inside 48 hours. 6. browserbase — when you need a remote-hosted browser that survives across calls. Pricing is non-trivial; the security model holds up.

Collaboration tools

7. korotovsky/slack-mcp-server — OAuth flow is properly scoped (you don't have to grant chat:write to read channel history) and the maintainer has shipped two security patches inside the disclosure window. The official docs.slack.dev server requires bot-token scope grants that are coarser; pick korotovsky for read-heavy workflows. 8. makenotion/notion-mcp-server — official, OAuth-gated, 18 tools. Notion has been one of the more responsive vendors when integrators report bugs. 9. atlassian/atlassian-mcp-server — official Rovo-backed Jira/Confluence server. Cloud only; if you're on Data Center you fall back to sooperset/mcp-atlassian which we'd use only inside a private network. 10. linear.app/docs/mcp (mcp.linear.app/mcp) — official remote MCP, OAuth 2.1 with PKCE. Clean implementation, no surprises.

Search and retrieval

11. brave/brave-search-mcp-server — official Brave Search MCP. Used heavily by autoresearch ports. Brave's API enforces rate limiting at the gateway so the server doesn't have to. 12. upstash/context7 — documentation lookup across thousands of libraries. Read-only by design, which sidesteps the entire lethal trifecta (Simon Willison's term for private-data + untrusted-content + exfiltration capability).

Knowledge and personal data

13. cyanheads/obsidian-mcp-server — best of the three competing Obsidian implementations we evaluated. Handles the 4,000-note vault context-window problem that PaulDickson, Lakshan, and Cristian flagged on the official forum. We pair it with Cristian's "mirror vault" pattern — never expose the personal vault directly.

Payments and ops

14. docs.stripe.com Stripe MCP (mcp.stripe.com) — official, OAuth-gated, scoped per Stripe key. The Stripe team has been one of the few API vendors that documented their MCP exposure surface as carefully as their core REST surface. 15. Sentry official MCP — remote, OAuth. Read-only by default. Useful for hooking incident triage into an agent without granting the agent the ability to silence alerts.

Infrastructure

16. vercel.com/docs/agent-resources/vercel-mcp — official. Distinguish from vercel/next-devtools-mcp, which is the dev-time inspector. The deploy server is what you want for agent workflows; the dev-time server is what you want for IDE work. 17. awslabs.github.io/mcp (specifically aws-finops-mcp) — out of 60+ AWS official servers, this is the one most teams actually need first because it answers the only AWS question agents are good at: "what is this costing me?"

Reference / utility

18. Anthropic Sequential Thinking, Fetch, Filesystem, Git, Memory, Time — the 7 remaining reference servers in modelcontextprotocol/servers after the archival sweep. Filesystem specifically — make sure you are on a version post-EscapeRoute (CVE-2025-53109 / CVE-2025-53110). Old pinned versions are still in the wild.

Where this fails

This list will be wrong inside 90 days. Three reasons:

The protocol is changing. The MCP 2026 roadmap introduces .well-known discovery, a Tasks primitive for async agent communication, and tighter consent UX. Servers that lag the spec slip down the list. Maintainers churn. Three of the servers on the list were maintained by individuals in 2025 and have since been adopted by their parent companies. Two went the other way — the maintainer moved on and the repo went stale. We re-audit quarterly. The categories we did not cover. Vector DBs (Pinecone, Qdrant, Chroma), HR/CRM (HubSpot, Salesforce, Merge), and edge platforms (Cloudflare, Fly.io) have decent options that we did not have room for here. They are not on the list because we ran out of evaluation budget, not because they are bad.

A separate failure mode worth naming: the 23,451 number from Glama is itself misleading. It includes forks, dead repos, and metadata-only registry entries with no working code. The realistic count of distinct, working, maintained MCP servers in May 2026 is closer to 2,000. Any vendor citing a five-digit number is selling you a denominator, not a numerator.

What to read next

• /topic/best-mcp-servers-2026 — the live verified list, updated monthly
• /topic/mcp-security — the trifecta, the CVEs, the runbook
• /topic/mcp-tool-overload — why installing 8 of these will make your agent worse, not better
• /topic/mcp-postgres — the Postgres MCP deep-dive (why the official one was archived, what replaced it)
• /for/security-conscious-ai-team — the audit checklist
• /blog/anthropic-archived-mcp-servers — the half-archive story
• /blog/state-of-mcp-2026 — the broader ecosystem report

Sources

• Glama. "23,451 MCP Servers". Server count and A–F quality grades, accessed 2026-05-12.
• Bloomberry. "We Analyzed 1,412 MCP Servers". Auth/CORS/rate-limit findings.
• Trend Micro. "MCP Security: Network-Exposed Servers Are Backdoors to Your Private Data". 492 exposed servers.
• Snyk. "ToxicSkills: Malicious AI Agent Skills". First coordinated malware campaign, February 2026.
• Hey Yuan. "MCP Security 2026". 30+ CVEs catalog, CVE-2025-6514 (mcp-remote RCE, CVSS 9.6).
• Anthropic. "MCP Security Best Practices".
• Simon Willison. "The Lethal Trifecta".
• Vulnerable MCP Project. https://vulnerablemcp.info/.
• Endor Labs. "Classic vulnerabilities meet AI infrastructure: why MCP needs AppSec".
• Anthropic. Reference servers repository — current 7 (Everything, Fetch, Filesystem, Git, Memory, Sequential Thinking, Time).
• Obsidian forum. "Obsidian MCP servers — experiences and recommendations". PaulDickson + Lakshan + Cristian quotes.

FAQ

Q: Why aren't more "popular" MCP servers on this list? A: Popularity in this ecosystem correlates poorly with safety. The mcp-remote package had 437,000 downloads when CVE-2025-6514 hit it. Install count is not a quality signal in MCP land — the protocol is too young. Q: Should I install all 18? A: No. Eclipsesource measured that 5 active MCP servers commonly burn 66,000 tokens before user input — about a third of Claude Sonnet 4.6's 200k context window. The math is: pick 3 by job-to-be-done, lazy-load the rest if your client supports it. Q: What about paid MCP servers? A: Out of scope for this list. Paid MCP servers are still under 5% of the market and the verification model is different — you are trusting the vendor's paid SLA, not auditing the source. We cover them separately in /topic/paid-mcp-servers. Q: How do you re-audit quarterly? A: We re-run the three passes (provenance, auth/transport, disclosure history) every 90 days. The list updates at /topic/best-mcp-servers-2026. We publish a diff post when a server is added or removed. Q: What does "we'd install today" actually mean? A: It means: on a personal laptop, with personal credentials, with the agent allowed to read but not write by default, after reviewing the server's tool descriptions. It does not mean we'd point it at a production database without further review. Use the security checklist before you turn any of these loose on your real data.