Blog
ENPL

MCP in 2026 — from hype to grown-up tech with grown-up problems

A year ago Model Context Protocol was supposed to change everything. Today it's a standard, but the ecosystem has 20k servers, 92% exploitation odds at 10 plugins, and context bloat eating 70% of the window. Market overview, top 15, and 2026 trends.

·7 min read
#AI#MCP#claude-code#security
MCP in 2026 — from hype to grown-up tech with grown-up problems

A year ago Model Context Protocol was the new hot take. "MCP will change everything, agents will have real access to tools, no more parroting JSON in a prompt." Some of that happened. Some of it happened too fast.

In April 2026 we have over 20,000 public MCP servers, 97 million installs in March, OAuth 2.1 as transport standard, and in parallel an architectural CVE hitting most official SDKs, an OWASP MCP Top 10 report, and consensus that 66% of audited servers have security findings. The ecosystem matured. The problems matured with it.

This isn't a panic post. It's an inventory of where things stand at end of Q1 2026, what's worth installing, what to avoid, and what actually changed since last year.

Official servers — radical slimming

The modelcontextprotocol/servers repo in 2026 looks different than in 2025. Most of the original reference integrations got archived and moved to servers-archived. The steering group now maintains seven entries:

  • Everything, test/reference (prompts + resources + tools)
  • Fetch, fetch and convert web content
  • Filesystem, file ops with ACL
  • Git, read/search/manipulate repo
  • Memory, persistent knowledge graph
  • Sequential Thinking, structured reasoning
  • Time, timezones and conversions

The rest, GitHub, GitLab, Slack, Postgres, Sentry, Brave Search, Puppeteer, got handed off to vendors or community. This is a meaningful signal: Anthropic deliberately doesn't want to be the curator of every integration. Slack is now maintained by Zencoder. GitHub by GitHub. Brave by Brave. Anthropic sits on the spec and registry, not the implementations.

The second new thing is registry.modelcontextprotocol.io, a metaregistry. Works like DNS: enforces namespace uniqueness but doesn't host code. Backed by Anthropic + GitHub + PulseMCP + Microsoft. Marketplaces (Smithery, Glama, mcp.so) still exist and distribute servers; the registry only anchors "who is who".

Top 15 actually worth knowing

After cross-referencing several lists (k2view, skyvia, obot, n8n) this set keeps repeating:

1.  Playwright MCP (Microsoft)       — browser automation, accessibility tree
2.  Chrome DevTools MCP (Google)     — debug, perf, network
3.  GitHub MCP (official)            — repo, issues, PR, Actions
4.  Supabase MCP                     — Postgres + edge functions + schema
5.  Stripe MCP (official)            — payments
6.  Sentry MCP (official)            — error tracking
7.  Notion MCP                       — pages, databases, tasks as context
8.  Slack MCP (Zencoder)             — 47 tools, search/post/workflows
9.  HubSpot MCP                      — CRM
10. Salesforce MCP Connector
11. Jira MCP                         — tickets
12. Docker Hub MCP
13. Cloudflare MCP                   — Workers, D1, R2, KV
14. Vectara / K2view                 — enterprise RAG, multi-source
15. Browserbase + Browser Use        — cloud browsers for agents

Out of these, what I actually use daily: Playwright (UI tests, screenshots of the very blog you're reading), Cloudflare (deploy, tunnels, DNS), GitHub (review, PRs), and Home Assistant MCP for smart home. The rest only spin up when needed, because every enabled server costs tokens.

What matured, what's thin

Saturated categories, you have plenty to choose from:

  • Browser automation (Playwright, Chrome DevTools, Browserbase, Browser Use)
  • Dev tools / VCS (GitHub, GitLab, Git, Sentry)
  • Databases (Supabase, vendor Postgres, SQLite, Redis, MongoDB, Vectara)
  • Productivity / SaaS (Notion, Slack, Linear, Jira, Asana)
  • DevOps (k8s, Docker, Terraform, observability)
  • Cloud (AWS, GCP, Cloudflare, Azure)

Thin categories, gap in the market:

  • Search, outside Brave, Exa, Perplexity, the rest is fragments
  • AI/ML toolchain, few good servers for MLflow, W&B, Hugging Face
  • Hardware/IoT, Home Assistant MCP exists, but the ecosystem is empty
  • Compliance, audit, legal, basically zero
  • Vertical (medical, legal, finance), early, lots of toys

If you're hunting for a product theme, look at the thin categories. The saturated ones already have their winners.

Streamable HTTP transport displaced stdio for remote deployments. FastMCP 3.0 (Feb 2026) has over 100k downloads. The cost is stateful sessions vs. load balancers, everyone hosts workarounds, no standard.

OAuth 2.1 got accepted as spec in June 2025. In April 2026 thousands of servers in production still have no authn. This is where most of the debt sits.

Tool Search + Programmatic Tool Calling hit GA in Claude Code in February 2026. This is lazy loading of tool definitions, instead of holding 67k tokens of schema in every prompt, the agent loads only what it'll use. Anthropic reports 46.9% token reduction, up to 85% in synthetic tests. If you use Claude Code with 4+ MCP servers, turn this on, no-brainer.

Q2 2026 roadmap is transport scalability, agent-to-agent, governance, enterprise readiness. New spec drops in June 2026.

Counter-current, Mario Zechner's post "What if you don't need MCP at all?" made noise in late 2025. Argument: bash + scripts + plain HTTP often suffice, MCP is formalism for things the agent will solve ad hoc anyway. I agree 60%. For things with state (browser, Slack, database) MCP wins. For "call a REST API and parse JSON", overhead.

Production traps

This is the section where things get unpleasant.

Token bloat. Concrete case study: 4 enabled servers = 67k tokens before the first prompt. Another one: 3 servers ate 143k of a 200k window, 72% of context on tool descriptions alone. That's why Tool Search exists.

Security IS a crisis. Architectural CVE in the official SDK (Python/TS/Java/Rust), 150M+ downloads exposed, 200k+ public servers potentially vulnerable, 10+ CVEs.

Stats worth knowing:
- 66% of audited MCP servers have security findings
- 92% probability of exploitation with 10 installed plugins
- 72% of servers expose sensitive capabilities (code exec, FS, privileged APIs)
- 13% accept untrusted input
- Intersection (9%) = direct prompt-injection path

OWASP already shipped the MCP Top 10. Most painful: tool poisoning (tool descriptions can contain malicious instructions the agent reads as system content), credentials in plaintext, version drift between server and agent's cache.

Quality floor. Out of 20,000 servers in the registry, as popularaitools puts it, most are "toys, abandoned experiments, or security risks". That's not me, that's the literal market description.

Practical recommendations

Short, because this is the point:

  1. Install fewer. Every enabled server is tokens, attack surface and one more thing to audit. I have 6 always-on, the rest on-demand.

  2. Prefer official / vendor-maintained. GitHub from GitHub, Stripe from Stripe, Cloudflare from Cloudflare. It's not a quality issue, it's a security accountability issue.

  3. Enable Tool Search. In Claude Code 2026 it's a flag you flip. 47% fewer tokens for dessert.

  4. Audit before claude mcp add. Check who maintains it, whether it has OAuth 2.1, whether it requires credentials in plaintext. If a server wants your API key in env and doesn't encrypt the cache, reject.

  5. Don't install community servers "because they sound cool". 9% of community servers have a direct prompt-injection path. Your credentials in a Claude session you asked "what's in the news today" can be exfiltrated through a tool description you never read.

Conclusions

MCP in 2026 is a grown-up technology. That means: it has real use cases, it has standards (transport, auth, registry), it has enterprise traction. Along with that, it has grown-up problems, security debt, fragmentation, quality floor, and context bloat.

For developer-consultants, and me too, that's good news. Grown-up technologies are predictable. You know what to pick, what to avoid, where to read the CVEs. That's a much better position than a year ago, when every server was an experiment and every update could break the agent.

The biggest losers are the ones still hoping MCP will solve something for them on its own. The biggest winners are the ones treating it like any other production dependency, with versioning, audit, and iron minimalism.

Less, better, audited.