MCP Security Best Practices 2026

The MCP ecosystem has grown fast and the security posture of most deployments has not kept pace. A May 2026 scan of the top 400 MCP packages found that 75% carry known CVEs. That number is not a long-tail problem — it includes the two most widely used SDKs in the ecosystem, each carrying 3 HIGH-severity vulnerabilities. Teams shipping MCP-powered agents into production today are, in most cases, doing so on a dependency stack with known, unpatched vulnerabilities.

This checklist is the practical response to that reality. Six concrete practices, each of which reduces your exposure in a measurable way.

Full CVE data, affected package versions, and exploit classification are in the State of MCP Security 2026 report.

1. Pin Dependencies and Run Audit in CI

Add npm audit --audit-level=high (for Node-based MCP servers) or pip-audit (for Python-based ones) as a required CI check. Configure it to fail on HIGH or CRITICAL findings so new CVEs in the dependency tree block the merge rather than silently shipping.

Pin your direct dependencies to exact versions in package.json or requirements.txt. Use a lockfile — package-lock.json or poetry.lock — and commit it. Pinning and lockfiles together ensure that the dependency tree you audit in CI is identical to the one that runs in production.

Review and update pins on a regular schedule rather than waiting for a vulnerability to force it. Stale dependencies are the most common reason teams discover they are running known-vulnerable packages.

2. Scope Tool Access Per Agent

The default tool surface for most MCP deployments is "everything the server exposes." That is almost never what any individual agent actually needs. Define a navil.yaml policy alongside your agent configuration that explicitly lists the tools each agent is allowed to call:

# navil.yaml
policy:
  allow:
    - tool: read_file
      scope: "./src/**"
    - tool: search_codebase
    - tool: create_pr
  deny:
    - tool: "*"
      default: true

Scoping tool access to what the agent demonstrably needs produces a 94% reduction in schema tokens. That means lower prompt costs and, more importantly, a dramatically smaller action space for any injection or model error to exploit. The policy file lives in your repository, is reviewed in code review, and is enforced at runtime — not just documented in a README.

3. Wrap Servers Before They Reach Production

navil secure wraps your existing MCP server configuration and interposes on every tool call before it reaches the server. Setup takes approximately 47 seconds:

pip install navil
navil secure

The proxy enforces the policy defined in navil.yaml on each call, with 2.7 µs overhead at p50 and 6.1 µs at p99. It works with Claude Code, Cursor, Continue, OpenClaw, and custom MCP agents without requiring changes to the MCP server itself.

Wrapping at the proxy layer rather than the application layer means enforcement is consistent regardless of which agent, which model, or which developer wrote the calling code. Policy is defined once and applied uniformly.

4. Monitor at the Call Layer, Not Just the Perimeter

Network-perimeter monitoring — WAFs, IDS, egress filtering — remains relevant, but it does not give you visibility into what tools an agent is calling or why. Instrument at the MCP call layer so you have a record of every tool invocation, the arguments passed, and the outcome.

Navil evaluates every tool call against 568 detection patterns across 36 categories, including prompt injection indicators, data exfiltration sequences, and privilege escalation patterns. Anomalies that pass the policy check are flagged and logged with enough context to reconstruct the agent's behavior at the time.

Establish a baseline of normal call patterns for each agent during a canary period before full production rollout. Deviations from baseline are the earliest signal that something has changed — either in the agent's behavior, the model's output, or the content it is processing.

5. Know Which SDKs Your Servers Depend On

As of May 2026, @modelcontextprotocol/sdk (Anthropic's Node.js MCP SDK) carries 3 HIGH CVEs. The mcp Python SDK also carries 3 HIGH CVEs. Together, these two packages are present in 54–68% of the MCP ecosystem. If you are running an MCP server today and have not checked your SDK version against the advisory list, there is a better-than-even chance you are running on an affected version.

Run npm ls @modelcontextprotocol/sdk or pip show mcp to check your installed version. Cross-reference against the advisory data in the State of MCP Security 2026 report. If you are on an affected version, patch where a fix is available. Where no fix exists, runtime enforcement via navil secure provides a compensating control that limits the call patterns an attacker could use to exploit the vulnerability.

6. Have an Answer When the Security Team Asks

When a security team or enterprise customer asks about your MCP deployment's security posture, they will want to see four things: evidence that dependencies are audited, documentation of what each agent is allowed to do, audit logs of tool calls, and a plan for how you respond to a policy violation.

Navil's governance proxy produces structured audit logs of every tool call — allowed and blocked — in a format suitable for SIEM ingestion. Policy is defined in navil.yaml, which is version-controlled and reviewable. The combination gives you a defensible answer: here is what each agent can do, here is the evidence that those policies are enforced, and here is the log of every action it has taken.

For teams with formal compliance requirements, the features page has details on the audit log format and retention options. Enterprise deployment options including SSO, self-hosted proxy, and SLA-backed support are on the enterprise page.

These six practices are not sequential. Dependency auditing and SDK version checks are things you can do today, before writing any policy. Policy scoping and runtime enforcement can be added incrementally — start with observe mode to understand actual call patterns, then tighten the policy based on evidence.

The starting point is pip install navil && navil secure. The quickstart covers the first integration in under five minutes. The features page has the full policy language reference and integration documentation.