← back

Cloudflare Remote MCP Servers: Powerful But Potentially Dangerous

Dec 6, 2025

mcpcloudflaresecurityai-agents

Cloudflare now lets you deploy remote MCP servers to Workers, complete with OAuth authentication. It’s a genuinely impressive piece of infrastructure.

It’s also a security footgun waiting to go off.

What Cloudflare Built

They’ve packaged everything you need:

You can spin up a remote MCP server in minutes and connect it to Claude Desktop, Cursor, or their AI Playground.

Why This Is Crazy Dangerous

MCP servers give AI agents the ability to execute real actions: read files, query databases, call APIs, modify systems. Traditionally these run locally - the blast radius of a compromise is your own machine.

Remote MCP servers flip that model entirely:

  1. Internet-exposed tool execution - Your MCP server is now a publicly addressable endpoint that can trigger actions on your infrastructure

  2. OAuth doesn’t mean secure - Token theft, permission creep, and social engineering attacks all still apply. Now your attack surface is the entire internet instead of local processes

  3. AI agents are unpredictable - Even with authentication, an AI with broad tool access can be prompted into unintended behavior. Remote exposure means anyone who obtains valid credentials can exploit this

  4. Compounding permissions - If your MCP server talks to databases, internal APIs, or cloud resources, you’ve just created an authenticated bridge from the public internet to your internal systems

The Pattern To Avoid

Don’t do this:

Internet → OAuth → MCP Server → (Database, Files, Internal APIs, Cloud Resources)

If you must expose MCP remotely, treat it like you’re building a public API - because you are. Scope permissions ruthlessly. Audit everything. Assume the tokens will leak.

When Remote MCP Makes Sense

For most use cases? Keep your MCP servers local. The convenience of remote access isn’t worth the attack surface expansion.

Source: Cloudflare Remote MCP Server Guide