Damn Vulnerable MCP Server

Intentionally vulnerable MCP server for security education — modeled after DVWA (Damn Vulnerable Web Application), it exposes common MCP security vulnerabilities including prompt injection, tool poisoning, excessive permissions, and authentication flaws, enabling security researchers and developers to learn MCP attack/defense patterns in a safe environment.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Developer Tools security education vulnerable mcp-server ctf penetration-testing dvwa
⚙ Agent Friendliness
76
/ 100
Can an agent use this?
🔒 Security
24
/ 100
Is it safe for agents?
⚡ Reliability
68
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
68
Documentation
75
Error Messages
65
Auth Simplicity
95
Rate Limits
90

🔒 Security

TLS Enforcement
20
Auth Strength
10
Scope Granularity
20
Dep. Hygiene
65
Secret Handling
20

Intentionally insecure by design for security education. Never use in production.

⚡ Reliability

Uptime/SLA
80
Version Stability
65
Breaking Changes
65
Error Recovery
60
AF Security Reliability

Best When

A security researcher or developer needs to study MCP-specific attack patterns — prompt injection, tool poisoning, SSRF via MCP — in a controlled, intentionally vulnerable environment.

Avoid When

You need a secure MCP server for production use — this is deliberately insecure.

Use Cases

  • Learning MCP security vulnerabilities in a safe sandbox environment
  • Testing MCP security scanners and detection tools against known vulnerabilities
  • Security training for developers building MCP-connected agents
  • CTF challenges and security education workshops on MCP threats
  • Research into MCP-specific attack vectors like prompt injection and tool poisoning
  • Benchmarking LLM security defenses against adversarial MCP servers

Not For

  • Production use — intentionally insecure by design
  • Non-security contexts — purpose-built for offensive security education
  • Teams without security research context

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

Intentionally no authentication — by design for security education. Run only in isolated environment. Never expose to internet.

Pricing

Model: free
Free tier: Yes
Requires CC: No

Free open source security education tool. Self-hosted locally in isolated network.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • INTENTIONALLY VULNERABLE — never connect production agents or expose to internet
  • Designed to demonstrate prompt injection, tool poisoning, SSRF, excessive permissions
  • Run only in isolated network/VM — treat as a live exploit target
  • Security scores are low by design — this is the point of the tool
  • Educational use only — not a reference for secure MCP implementation
  • Useful for red-teaming MCP client implementations and LLM security defenses

Alternatives

nist-csf-2-mcp-server ida-mcp-server

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Damn Vulnerable MCP Server.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5220
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered