Akash Sathish
@iamakash06
When the agent workflow survives production but the MCP server splits an RCE
Submitted May 31, 2026
Submission type:
Anchor talk (30 mins)
Every enterprise AI workflow that matters in 2026 routes through MCP servers starting from the tools that give your AI agents access to files, databases, APIs, till shell commands. But the security posture of these servers is systematically poor: 43% have command injection vulnerabilities, 36% have SSRF exposure, and the real CVEs (CVE-2025-6514, CVSS 9.6) are execSync(args.cmd). These are bugs that a static analyzer catches in 10 seconds.
This talk is about MCPeek: an offline TypeScript static analyzer that scans MCP server source code and fails the CI build before a vulnerable server reaches production. I’ll cover what the enterprise AI production stack actually looks like from a security perspective, how taint analysis works on MCP handler code, and what a first-of-its-kind audit of 50+ production MCP servers found.
Key Takeways:
- How to evaluate a third-party MCP server before connecting it to your agent workflow (the “due diligence, not runtime guarantee” model)
- The specific vulnerability patterns to look for: command injection, path traversal,SSRF, hardcoded credentials, tool poisoning via description fields
- How to add MCPeek to your CI pipeline (GitHub Action, two lines, fails on high-severity findings, SARIF output to GitHub Code Scanning)
- What the limits of static analysis are and which runtime tools to pair with it for the threats it can’t see
This is not a research talk. Every finding I present maps to a public CVE. The tool is open-source (Github Repository, npm repository). The CI integration I’ll show is production-ready today. The audit data I’ll present is from real MCP servers your team may already be using.
Target Audience: AI Engineers, AppSec, DevSecOps Engineers, Engineering Leads, Platform and Infrastructure Engineers.
Speaker Bio: I’m a Solution Consultant at Sahaj Software in Chennai. I’ve been neck-deep in MCP, Claude Code, and agentic architectures since before they had proper names. I’ve spoken at GitTogether 2025, The Fifth Elephant 2025, and many other conferences across AI-assisted development, MCPs and privacy-preserving ML. Right now I’m obsessed with: what happens to developer cognition when AI writes most of your code, why nobody’s building agent runtimes for the browser yet and MCP Security. Linkedin
{{ gettext('Login to leave a comment') }}
{{ gettext('Post a comment…') }}{{ errorMsg }}
{{ gettext('No comments posted yet') }}