200,000 MCP Servers Are Exposed. Here's Why Serverless Is Safer.

I've spent a lot of time thinking about where MCP servers should live. I work with remote MCP servers constantly and do a lot of the architecture work around them. But I also use plenty of local ones. There's a simplicity to npx @modelcontextprotocol/server-whatever that's hard to argue with.

Then MCP crossed 300 million SDK downloads a month in April 2026, and a few days later, OX Security published a disclosure that put a number on what I'd been turning over in my head: the most popular MCP transport has no authentication, and 200,000 servers are running it in production.

That got me to finally put my thoughts together. The short version: the subprocess-spawn vulnerability that OX Security disclosed is specific to STDIO, the local transport. Remote MCP servers avoid that specific attack path, though they introduce different web and API security considerations. And if you're going to run remote MCP servers, I think serverless is the best place to do it.

Let's walk through it.

What OX Security found in MCP's STDIO transport

200,000 MCP Servers Are Exposed. Here's Why Serverless Is Safer.

Other newsrooms on this story

Related reading

Manifold Security Just Scored 7,700 MCP Servers. Here's Why That Number Should…

MCP command execution flaw: what security teams need to know

MCP For Software Engineers | Part 1 : Building Your First Server

We Scored 14,800+ MCP Servers on Behavioral Trust. Here's What We Found.

Ten MCP servers I shipped this year. I use three.

Defense in Depth for MCP Servers