YellowMCP Research

The State of MCP Reliability

April 2026

The first independent assessment of reliability, security, and maintenance across the MCP server ecosystem

Executive Summary

20,348

Servers Indexed

2,181

Remote Endpoints

actively monitored

540,983

Health Checks

since April 1

80/100

Avg Trust Score

Key Findings

26% of remote MCP endpoints are dead. Out of 2,181 remote-capable servers, 560 fail to respond — timeout, connection refused, or not found.

309 servers (14.2%) have zero authentication. Any agent can connect and execute tools without credentials.

53% have open CORS (Access-Control-Allow-Origin: *), allowing cross-origin requests from any domain.

Finance scores lowest on trust despite handling the most sensitive data — a notable gap between risk and security posture.

Ecosystem Overview

YellowMCP indexes 20,348 MCP servers from the Official MCP Registry, Smithery, PulseMCP, mcpmonitoring.com, and community lists. Of these, 2,181 have remote endpoints that can be independently monitored.

Data Sources

mcpmonitoring

18,078

registry

1,607

smithery

422

awesome-list

125

pulsemcp

115

claimed

Category Distribution

dev-tools

14,662 servers

other

2,788 servers

data

1,199 servers

productivity

793 servers

media

465 servers

finance

227 servers

security

214 servers

Reliability Assessment

Server Status (2,181 remote endpoints)

604

Up (27.7%)

960

Reachable (44.0%)

Degraded (2.6%)

560

Down (25.7%)

30-Day Uptime Distribution

99%+ uptime

663

95-99%

136

90-95%

80-90%

117

Below 80%

1204

Latency Distribution

<100ms

100-500ms

231

500-2000ms

1387

>2000ms

515

Top 10 Most Reliable Servers

#	Server	Category	Uptime	Latency	Trust
1	PostHog MCP Server★32,376	dev-tools	100.0%	515ms	100
2	Skyvern★21,048	data	100.0%	809ms	85
3	edgar.tools SEC Intelligence★1,953	dev-tools	98.1%	549ms	95
4	com.stripe/mcp★1,430	finance	100.0%	660ms	95
5	com.apify/apify-mcp-server★1,012	data	97.7%	876ms	90
6	ai.smithery/brave★867	dev-tools	100.0%	543ms	95
7	io.github.alphavantage/alpha_vantage_mcp★113	dev-tools	100.0%	445ms	85
8	ai.smithery/docfork-mcp★454	dev-tools	100.0%	653ms	95
9	com.monday/monday.com★390	dev-tools	99.6%	545ms	100
10	PayRam Helper MCP Server★133	dev-tools	96.9%	801ms	70

Security Intelligence

2,180 remote MCP servers scanned with 5 passive security checks: authentication, transport security, CORS policy, information leakage, and SSL/TLS certificate quality.

Trust Score Distribution

Excellent (90+)

926

Good (70-89)

714

Fair (50-69)

528

Poor/Critical (<50)

309 servers have zero authentication

14.2% of remote MCP servers respond with 2xx and no authentication required. Any agent can connect and execute tools without credentials. This is the #1 security concern in the ecosystem.

Authentication

OAuth/Bearer

671

Weak (static key)

177

No auth

309

SSL/TLS Certificates

Valid

2097

Expiring (<30d)

Invalid/Expired

Trust Score by Category

dev-tools

80.8/100

other

79.3/100

data

80.5/100

productivity

81.6/100

media

81.1/100

finance

76.2/100

security

76.7/100

Maintenance & Activity

49%

Committed in 30 days

750

Active in 90 days

51%

No commits in 30+ days

Of 1,206 remote servers with linked GitHub repositories, only 49% have committed code in the last 30 days. Abandoned MCP servers represent a growing reliability risk — they accumulate security vulnerabilities and drift from protocol updates.

Methodology

Health Monitoring

Every remote endpoint is checked via HTTP GET/SSE handshake every 5-15 minutes. We record status code, response latency, and error details. Servers are classified as up (2xx within 10s), degraded (slow or intermittent), reachable (401/403), or down (timeout/error).

Security Scanning

All checks are passive and non-intrusive. We assess authentication requirements, transport security (HTTPS), CORS headers, information leakage (server headers, error details), and SSL certificate validity. No penetration testing or active exploitation.

Trust Score

Starts at 100. Deductions: no authentication (-30), HTTP only (-25), invalid SSL (-20), expiring SSL (-10), weak auth (-10), error details exposed (-10), open CORS (-5), server headers exposed (-5), low uptime (-10 to -30). Range: 0-100.

Limitations

Uptime data reflects only the monitoring period (since April 1, 2026). Servers without remote endpoints cannot be health-checked. Security scans assess external posture only — internal architecture and code quality are not evaluated. Trust scores are not endorsements.

Recommendations

For developers choosing MCP servers

Check uptime history before depending on a server. Verify it requires authentication. Look at GitHub commit activity — a server with no commits in 90 days is a maintenance risk. Use YellowMCP's agent discovery tools to find reliable servers at runtime.

For MCP server operators

Claim your listing on YellowMCP to verify ownership. Add authentication — 13.8% of the ecosystem is wide open. Monitor your uptime and set up alerts. Embed a reliability badge in your README to signal quality.

For the ecosystem

The MCP ecosystem has a quality layer problem. Registries list servers but don't verify they work. Discovery tools don't assess security. The gap between “listed” and “production-ready” is where reliability intelligence fits.

Share this report

Share on X Copy link

Test Your Server

Instant health check for any MCP endpoint

Live Data

Real-time ecosystem statistics

Stay updated on MCP reliability

Get the monthly State of MCP Reliability report and ecosystem insights.

No spam. Unsubscribe anytime.