YellowMCP
YellowMCP Research

The State of MCP Reliability

April 2026

The first independent assessment of reliability, security, and maintenance across the MCP server ecosystem

Executive Summary

20,348
Servers Indexed
2,181
Remote Endpoints
actively monitored
15,001,433
Health Checks
since April 1
83/100
Avg Trust Score

Key Findings

30% of remote MCP endpoints are dead. Out of 2,181 remote-capable servers, 650 fail to respond — timeout, connection refused, or not found.

276 servers (12.7%) have zero authentication. Any agent can connect and execute tools without credentials.

52% have open CORS (Access-Control-Allow-Origin: *), allowing cross-origin requests from any domain.

Finance scores lowest on trust despite handling the most sensitive data — a notable gap between risk and security posture.

Ecosystem Overview

YellowMCP indexes 20,348 MCP servers from the Official MCP Registry, Smithery, PulseMCP, mcpmonitoring.com, and community lists. Of these, 2,181 have remote endpoints that can be independently monitored.

Data Sources

mcpmonitoring
18,078
registry
1,607
smithery
422
awesome-list
125
pulsemcp
115
claimed
1

Category Distribution

dev-tools
14,662 servers
other
2,788 servers
data
1,199 servers
productivity
793 servers
media
465 servers
finance
227 servers
security
214 servers

Reliability Assessment

Server Status (2,181 remote endpoints)

550
Up (25.2%)
912
Reachable (41.8%)
69
Degraded (3.2%)
650
Down (29.8%)

30-Day Uptime Distribution

99%+ uptime
791
95-99%
348
90-95%
74
80-90%
212
Below 80%
756

Latency Distribution

<100ms
57
100-500ms
124
500-2000ms
1530
>2000ms
470

Top 10 Most Reliable Servers

#ServerCategoryUptimeLatencyTrust
1Netdata79,437dev-tools99.8%548ms100
2PostHog MCP Server35,203dev-tools99.8%561ms100
3ContextLattice121productivity100.0%387ms95
4edgar.tools SEC Intelligence2,413dev-tools100.0%577ms95
5AWS Knowledge9,331dev-tools100.0%433ms100
6MCP Registry Server6,966dev-tools99.2%525ms100
7com.monday/monday.com412dev-tools99.9%540ms100
8ChromaDB Remote MCP Server12dev-tools100.0%368ms100
9ShipSwift2,323dev-tools99.8%540ms95
10BoostedTravel1,223data99.5%775ms85

Security Intelligence

2,180 remote MCP servers scanned with 5 passive security checks: authentication, transport security, CORS policy, information leakage, and SSL/TLS certificate quality.

Trust Score Distribution

Excellent (90+)
1,187
Good (70-89)
460
Fair (50-69)
522
Poor/Critical (<50)
11

276 servers have zero authentication

12.7% of remote MCP servers respond with 2xx and no authentication required. Any agent can connect and execute tools without credentials. This is the #1 security concern in the ecosystem.

Authentication

OAuth/Bearer
645
Weak (static key)
186
No auth
276

SSL/TLS Certificates

Valid
2020
Expiring (<30d)
17
Invalid/Expired
13

Trust Score by Category

dev-tools
83.3/100
other
82.6/100
data
82.7/100
productivity
83.9/100
media
84/100
finance
81.1/100
security
79.8/100

Maintenance & Activity

20.9%
Committed in 30 days
436
Active in 90 days
79%
No commits in 30+ days

Of 1,206 remote servers with linked GitHub repositories, only 20.9% have committed code in the last 30 days. Abandoned MCP servers represent a growing reliability risk — they accumulate security vulnerabilities and drift from protocol updates.

Methodology

Health Monitoring

Every remote endpoint is checked via HTTP GET/SSE handshake every 5-15 minutes. We record status code, response latency, and error details. Servers are classified as up (2xx within 10s), degraded (slow or intermittent), reachable (401/403), or down (timeout/error).

Security Scanning

All checks are passive and non-intrusive. We assess authentication requirements, transport security (HTTPS), CORS headers, information leakage (server headers, error details), and SSL certificate validity. No penetration testing or active exploitation.

Trust Score

Starts at 100. Deductions: no authentication (-30), HTTP only (-25), invalid SSL (-20), expiring SSL (-10), weak auth (-10), error details exposed (-10), open CORS (-5), server headers exposed (-5), low uptime (-10 to -30). Range: 0-100.

Limitations

Uptime data reflects only the monitoring period (since April 1, 2026). Servers without remote endpoints cannot be health-checked. Security scans assess external posture only — internal architecture and code quality are not evaluated. Trust scores are not endorsements.

Recommendations

For developers choosing MCP servers

Check uptime history before depending on a server. Verify it requires authentication. Look at GitHub commit activity — a server with no commits in 90 days is a maintenance risk. Use YellowMCP's agent discovery tools to find reliable servers at runtime.

For MCP server operators

Claim your listing on YellowMCP to verify ownership. Add authentication — 13.8% of the ecosystem is wide open. Monitor your uptime and set up alerts. Embed a reliability badge in your README to signal quality.

For the ecosystem

The MCP ecosystem has a quality layer problem. Registries list servers but don't verify they work. Discovery tools don't assess security. The gap between “listed” and “production-ready” is where reliability intelligence fits.

Share this report

Stay updated on MCP reliability

Get the monthly State of MCP Reliability report and ecosystem insights.

No spam. Unsubscribe anytime.