Vulnerable MCP Servers Lab

Vulnerable MCP Servers Lab — a security research and education platform containing multiple intentionally vulnerable MCP server implementations demonstrating various MCP attack vectors including prompt injection, tool poisoning, data exfiltration, SSRF, and authentication bypass, organized as a progressive learning lab for security researchers and developers building MCP defenses.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Developer Tools security education vulnerable mcp-server lab penetration-testing red-team
⚙ Agent Friendliness
79
/ 100
Can an agent use this?
🔒 Security
21
/ 100
Is it safe for agents?
⚡ Reliability
69
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
72
Documentation
78
Error Messages
68
Auth Simplicity
95
Rate Limits
90

🔒 Security

TLS Enforcement
15
Auth Strength
10
Scope Granularity
15
Dep. Hygiene
65
Secret Handling
15

All vulnerabilities intentional for education. Isolated environment mandatory. Never production use.

⚡ Reliability

Uptime/SLA
78
Version Stability
68
Breaking Changes
68
Error Recovery
62
AF Security Reliability

Best When

A security team needs a comprehensive lab environment for studying MCP-specific vulnerabilities — more complete than single-server options like damn-vulnerable-mcp-server, with multiple distinct vulnerability types organized as a learning curriculum.

Avoid When

You need a secure MCP server — this is deliberately and comprehensively insecure.

Use Cases

  • Learning MCP attack and defense patterns in a structured lab environment
  • Testing MCP security scanners against multiple known vulnerability types
  • Red-teaming MCP client implementations with diverse attack scenarios
  • Security research into novel MCP-specific attack vectors
  • CTF challenges and security training for AI/agent security teams
  • Benchmarking LLM security guardrails against MCP-specific threats

Not For

  • Production use — all servers are intentionally vulnerable
  • Non-security contexts — exclusively for offensive security education
  • Teams without AI security research experience (requires security context)

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

Intentionally no auth on many servers — by design for security education. Run only in isolated, air-gapped environment.

Pricing

Model: free
Free tier: Yes
Requires CC: No

Free open source security lab from ruvnet. Self-hosted in isolated environment only.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • INTENTIONALLY VULNERABLE — never use in production or expose to network
  • Multiple distinct vulnerability types: prompt injection, SSRF, data exfiltration, auth bypass
  • Run only in isolated VM/container with no network access to external systems
  • ruvnet author has extensive MCP/AI security research background
  • More comprehensive than single-vulnerability targets — better for security curriculum
  • Some vulnerabilities may require specific LLM behaviors to trigger — document findings

Alternatives

damn-vulnerable-mcp-server nist-csf-2-mcp-server

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Vulnerable MCP Servers Lab.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5220
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered