YellowMCP Research

The State of MCP Reliability

April 2026

The first independent assessment of reliability, security, and maintenance across the MCP server ecosystem

Executive Summary

20,348

Servers Indexed

2,181

Remote Endpoints

actively monitored

3,070,369

Health Checks

since April 1

83/100

Avg Trust Score

Key Findings

27% of remote MCP endpoints are dead. Out of 2,181 remote-capable servers, 582 fail to respond — timeout, connection refused, or not found.

298 servers (13.7%) have zero authentication. Any agent can connect and execute tools without credentials.

52% have open CORS (Access-Control-Allow-Origin: *), allowing cross-origin requests from any domain.

Finance scores lowest on trust despite handling the most sensitive data — a notable gap between risk and security posture.

Ecosystem Overview

YellowMCP indexes 20,348 MCP servers from the Official MCP Registry, Smithery, PulseMCP, mcpmonitoring.com, and community lists. Of these, 2,181 have remote endpoints that can be independently monitored.

Data Sources

mcpmonitoring

18,078

registry

1,607

smithery

422

awesome-list

125

pulsemcp

115

claimed

Category Distribution

dev-tools

14,662 servers

other

2,788 servers

data

1,199 servers

productivity

793 servers

media

465 servers

finance

227 servers

security

214 servers

Reliability Assessment

Server Status (2,181 remote endpoints)

573

Up (26.3%)

953

Reachable (43.7%)

Degraded (3.3%)

582

Down (26.7%)

30-Day Uptime Distribution

99%+ uptime

612

95-99%

208

90-95%

312

80-90%

260

Below 80%

789

Latency Distribution

<100ms

100-500ms

500-2000ms

1509

>2000ms

538

Top 10 Most Reliable Servers

#	Server	Category	Uptime	Latency	Trust
1	PostHog MCP Server★32,537	dev-tools	99.8%	535ms	100
2	edgar.tools SEC Intelligence★1,990	dev-tools	99.2%	541ms	95
3	Buildkite★50	dev-tools	99.6%	653ms	95
4	io.github.alphavantage/alpha_vantage_mcp★119	dev-tools	99.9%	635ms	85
5	ai.smithery/brave★891	dev-tools	99.9%	681ms	95
6	com.monday/monday.com★394	dev-tools	99.7%	657ms	100
7	ai.smithery/docfork-mcp★459	dev-tools	99.8%	695ms	95
8	Slack MCP Server★21	dev-tools	99.7%	591ms	100
9	Axiom★11	data	99.4%	684ms	100
10	com.stripe/mcp★1,456	finance	99.2%	799ms	95

Security Intelligence

2,180 remote MCP servers scanned with 5 passive security checks: authentication, transport security, CORS policy, information leakage, and SSL/TLS certificate quality.

Trust Score Distribution

Excellent (90+)

1,195

Good (70-89)

483

Fair (50-69)

491

Poor/Critical (<50)

298 servers have zero authentication

13.7% of remote MCP servers respond with 2xx and no authentication required. Any agent can connect and execute tools without credentials. This is the #1 security concern in the ecosystem.

Authentication

OAuth/Bearer

661

Weak (static key)

179

No auth

298

SSL/TLS Certificates

Valid

2056

Expiring (<30d)

Invalid/Expired

Trust Score by Category

dev-tools

83.7/100

other

82.6/100

data

84/100

productivity

83.7/100

media

83.9/100

finance

78.9/100

security

80/100

Maintenance & Activity

40%

Committed in 30 days

731

Active in 90 days

60%

No commits in 30+ days

Of 1,206 remote servers with linked GitHub repositories, only 40% have committed code in the last 30 days. Abandoned MCP servers represent a growing reliability risk — they accumulate security vulnerabilities and drift from protocol updates.

Methodology

Health Monitoring

Every remote endpoint is checked via HTTP GET/SSE handshake every 5-15 minutes. We record status code, response latency, and error details. Servers are classified as up (2xx within 10s), degraded (slow or intermittent), reachable (401/403), or down (timeout/error).

Security Scanning

All checks are passive and non-intrusive. We assess authentication requirements, transport security (HTTPS), CORS headers, information leakage (server headers, error details), and SSL certificate validity. No penetration testing or active exploitation.

Trust Score

Starts at 100. Deductions: no authentication (-30), HTTP only (-25), invalid SSL (-20), expiring SSL (-10), weak auth (-10), error details exposed (-10), open CORS (-5), server headers exposed (-5), low uptime (-10 to -30). Range: 0-100.

Limitations

Uptime data reflects only the monitoring period (since April 1, 2026). Servers without remote endpoints cannot be health-checked. Security scans assess external posture only — internal architecture and code quality are not evaluated. Trust scores are not endorsements.

Recommendations

For developers choosing MCP servers

Check uptime history before depending on a server. Verify it requires authentication. Look at GitHub commit activity — a server with no commits in 90 days is a maintenance risk. Use YellowMCP's agent discovery tools to find reliable servers at runtime.

For MCP server operators

Claim your listing on YellowMCP to verify ownership. Add authentication — 13.8% of the ecosystem is wide open. Monitor your uptime and set up alerts. Embed a reliability badge in your README to signal quality.

For the ecosystem

The MCP ecosystem has a quality layer problem. Registries list servers but don't verify they work. Discovery tools don't assess security. The gap between “listed” and “production-ready” is where reliability intelligence fits.

Share this report

Share on X Copy link

Test Your Server

Instant health check for any MCP endpoint

Live Data

Real-time ecosystem statistics

Stay updated on MCP reliability

Get the monthly State of MCP Reliability report and ecosystem insights.

No spam. Unsubscribe anytime.