Last month, 48% of visitors to documentation sites across Mintlify were AI agents—not humans.

Claude Code, Cursor, and other coding agents are becoming the actual customers reading your docs. And they read everything.

This changes what good documentation means. Humans skim and forgive gaps. Agents methodically check every endpoint, read every guide, and compare you against alternatives with zero fatigue.

Your docs aren't just helping users anymore—they're your product's first interview with the machines deciding whether to recommend you.

That means:
→ Clear schema markup so agents can parse your content
→ Real benchmarks, not marketing fluff
→ Open endpoints agents can actually test
→ Honest comparisons that emphasize strengths without hype

In the agentic world, documentation becomes 10x more important. Companies that make their products machine-understandable will win distribution through AI.

Make Your Docs Agent-Ready

Four days ago, Microsoft disclosed a critical vulnerability in their Azure MCP Server. CVSS score of 9.1. The flaw: no authentication layer at all. If your AI agents connect to Azure DevOps through MCP — your repositories, pipelines, API keys, and work items are sitting open to anyone on the same network. No credentials required. No patch yet.

It's a significant disclosure. But the more unsettling detail isn't the bug itself — it's the reason it exists.

CVE-2026-32211 affects @azure-devops/mcp, Microsoft's official npm package for connecting AI agents to Azure DevOps. The server handles work items, repositories, build pipelines, and pull requests. The missing authentication layer means an attacker with network access can read sensitive configuration details, API keys, and authentication tokens without any credentials.

Microsoft has published interim mitigation guidance — primarily network-level controls to restrict access while the patch is pending. But here's the part that matters: Microsoft didn't make a rogue engineering mistake. They followed the Model Context Protocol specification, which Anthropic created and which explicitly makes authentication optional. The official MCP SDK documentation states it plainly: no built-in authentication mechanisms are included.

When security is optional in a spec, a lot of implementations skip it. Microsoft, one of the most well-resourced engineering organizations on the planet, is just the most visible example.

The MCP ecosystem has been growing faster than its security model for months. Between January and February 2026, security researchers filed over 30 CVEs targeting MCP servers, clients, and infrastructure — not over years, over 60 days. A survey of 2,614 MCP implementations found 82% vulnerable to path traversal attacks. Over a third carry some form of SSRF exposure similar to the Azure flaw. Every category has at least one confirmed CVE with a public exploit.

This is the pattern that forms when adoption outpaces security review — and it's a pattern the AI agent ecosystem is repeating at speed. MCP crossed 97 million installs in March 2026. Every major AI tooling provider now ships MCP-compatible servers. Claude Code uses it. Cursor uses it. Windsurf uses it. Each of those servers runs with whatever permissions your AI system has — no sandboxing, no isolation.

The attack surface for AI agent infrastructure is expanding almost daily. Supply chain attacks are now specifically targeting the libraries that route AI traffic — LiteLLM, the Python routing layer inside most agent frameworks, was backdoored last month. Axios, which Claude Code depends on for HTTP, was trojanized the same week as the MCP disclosure. Threat actors are no longer probing AI systems for what models they can manipulate. They're mapping the infrastructure those models run on and working through it methodically.

MCP, with its optional authentication model and explosive growth, is exactly the kind of surface that gets systematically exploited once attackers map it properly. The 30 CVEs in 60 days aren't a starting point — they're a preview.

If you're running AI agents that use MCP servers — and if you use Claude Code, Cursor, or Windsurf, you almost certainly are — this week is a good time to open your MCP config file and actually read what's connected. Know what tools each server exposes, what permissions it runs with, and who published it.

For Azure DevOps specifically: apply Microsoft's mitigation guidance now and don't wait for the patch. For your broader MCP stack, a free scanner called mcp-scan (run with uvx mcp-scan) will check your connected servers for tool poisoning indicators and known vulnerabilities in under 30 seconds. It's worth running before you let your agents back into anything sensitive.

The tools are genuinely useful. The infrastructure connecting them to your most sensitive systems needs the same scrutiny you'd apply to any other production dependency — and right now, most people haven't looked.

The full video breakdown — including what to check, the three-step action checklist, and why the MCP spec itself is the root of the problem — is on the Drift Intel YouTube channel. Microsoft's mitigation guidance for CVE-2026-32211 and the mcp-scan tool are linked in the video description.

StackDrift · Unsubscribe