38% of MCP servers have no auth -- inside the OWASP MCP Top 10

I installed 14 MCP servers last month. Then I read the CVE list. I've been running MCP servers in production since late 2025 -- connecting Claude to my accounting tools, project trackers, and internal databases. Last month alone, I added 14 new MCP servers to my setup. File operations, code search, Slack integration, the works. Then OWASP published the MCP Top 10, and I spent a weekend reading through CVE reports instead of shipping features. 30 CVEs filed against MCP implementations in 60 days. 38% of servers in a 500+ server scan had zero authentication.