YellowMCP Research

The State of MCP Reliability

April 2026

The first independent assessment of reliability, security, and maintenance across the MCP server ecosystem

Executive Summary

20,348

Servers Indexed

2,181

Remote Endpoints

actively monitored

7,677,185

Health Checks

since April 1

83/100

Avg Trust Score

Key Findings

29% of remote MCP endpoints are dead. Out of 2,181 remote-capable servers, 623 fail to respond — timeout, connection refused, or not found.

286 servers (13.1%) have zero authentication. Any agent can connect and execute tools without credentials.

52% have open CORS (Access-Control-Allow-Origin: *), allowing cross-origin requests from any domain.

Finance scores lowest on trust despite handling the most sensitive data — a notable gap between risk and security posture.

Ecosystem Overview

YellowMCP indexes 20,348 MCP servers from the Official MCP Registry, Smithery, PulseMCP, mcpmonitoring.com, and community lists. Of these, 2,181 have remote endpoints that can be independently monitored.

Data Sources

mcpmonitoring

18,078

registry

1,607

smithery

422

awesome-list

125

pulsemcp

115

claimed

Category Distribution

dev-tools

14,662 servers

other

2,788 servers

data

1,199 servers

productivity

793 servers

media

465 servers

finance

227 servers

security

214 servers

Reliability Assessment

Server Status (2,181 remote endpoints)

555

Up (25.4%)

929

Reachable (42.6%)

Degraded (3.4%)

623

Down (28.6%)

30-Day Uptime Distribution

99%+ uptime

95-99%

787

90-95%

132

80-90%

430

Below 80%

829

Latency Distribution

<100ms

100-500ms

500-2000ms

1267

>2000ms

913

Top 10 Most Reliable Servers

#	Server	Category	Uptime	Latency	Trust
1	Netdata★78,715	dev-tools	98.0%	1673ms	100
2	PostHog MCP Server★34,316	dev-tools	97.9%	1618ms	100
3	edgar.tools SEC Intelligence★2,103	dev-tools	97.9%	1596ms	95
4	ContextLattice★56	productivity	98.2%	1492ms	95
5	ai.smithery/docfork-mcp★473	dev-tools	98.5%	1614ms	95
6	ai.klavis/strata★5,732	dev-tools	97.7%	1755ms	90
7	ai.smithery/brave★987	dev-tools	98.2%	1680ms	95
8	Axiom★12	data	98.0%	1611ms	100
9	Supabase★2,666	dev-tools	97.7%	1607ms	100
10	Sandbox Container★3,705	dev-tools	98.3%	1549ms	100

Security Intelligence

2,180 remote MCP servers scanned with 5 passive security checks: authentication, transport security, CORS policy, information leakage, and SSL/TLS certificate quality.

Trust Score Distribution

Excellent (90+)

1,193

Good (70-89)

443

Fair (50-69)

527

Poor/Critical (<50)

286 servers have zero authentication

13.1% of remote MCP servers respond with 2xx and no authentication required. Any agent can connect and execute tools without credentials. This is the #1 security concern in the ecosystem.

Authentication

OAuth/Bearer

656

Weak (static key)

180

No auth

286

SSL/TLS Certificates

Valid

2030

Expiring (<30d)

Invalid/Expired

Trust Score by Category

dev-tools

82.9/100

other

81.8/100

data

83.7/100

productivity

84.3/100

media

83.6/100

finance

79.8/100

security

81.5/100

Maintenance & Activity

25%

Committed in 30 days

706

Active in 90 days

75%

No commits in 30+ days

Of 1,206 remote servers with linked GitHub repositories, only 25% have committed code in the last 30 days. Abandoned MCP servers represent a growing reliability risk — they accumulate security vulnerabilities and drift from protocol updates.

Methodology

Health Monitoring

Every remote endpoint is checked via HTTP GET/SSE handshake every 5-15 minutes. We record status code, response latency, and error details. Servers are classified as up (2xx within 10s), degraded (slow or intermittent), reachable (401/403), or down (timeout/error).

Security Scanning

All checks are passive and non-intrusive. We assess authentication requirements, transport security (HTTPS), CORS headers, information leakage (server headers, error details), and SSL certificate validity. No penetration testing or active exploitation.

Trust Score

Starts at 100. Deductions: no authentication (-30), HTTP only (-25), invalid SSL (-20), expiring SSL (-10), weak auth (-10), error details exposed (-10), open CORS (-5), server headers exposed (-5), low uptime (-10 to -30). Range: 0-100.

Limitations

Uptime data reflects only the monitoring period (since April 1, 2026). Servers without remote endpoints cannot be health-checked. Security scans assess external posture only — internal architecture and code quality are not evaluated. Trust scores are not endorsements.

Recommendations

For developers choosing MCP servers

Check uptime history before depending on a server. Verify it requires authentication. Look at GitHub commit activity — a server with no commits in 90 days is a maintenance risk. Use YellowMCP's agent discovery tools to find reliable servers at runtime.

For MCP server operators

Claim your listing on YellowMCP to verify ownership. Add authentication — 13.8% of the ecosystem is wide open. Monitor your uptime and set up alerts. Embed a reliability badge in your README to signal quality.

For the ecosystem

The MCP ecosystem has a quality layer problem. Registries list servers but don't verify they work. Discovery tools don't assess security. The gap between “listed” and “production-ready” is where reliability intelligence fits.

Share this report

Share on X Copy link

Test Your Server

Instant health check for any MCP endpoint

Live Data

Real-time ecosystem statistics

Stay updated on MCP reliability

Get the monthly State of MCP Reliability report and ecosystem insights.

No spam. Unsubscribe anytime.