Critical Flaw in Anthropic’s MCP Protocol Exposes Systems to Remote Command Execution

OX Security researchers have uncovered a critical, systemic vulnerability embedded directly in the architecture of Anthropic’s Model Context Protocol (MCP), the industry standard for AI agent communication. This foundational flaw exposes implementations to Arbitrary Command Execution (RCE), potentially allowing attackers to seize complete control of affected systems and access internal databases, sensitive user data, chat histories, and API keys.

Massive Supply Chain Impact

Because the vulnerability stems from architectural design—rather than a coding error—it affects all Anthropic-supported MCP SDKs, including Python, Rust, Java, and TypeScript. Developers building on these SDKs unknowingly inherit the risk, creating a blast radius impacting:

  • Over 150 million SDK downloads
  • 7,000+ publicly accessible servers
  • Up to 200,000 vulnerable instances globally

Researchers identified four primary exploitation methods:

  • Unauthenticated UI injections in popular AI frameworks
  • Zero-click prompt injections in AI IDEs like Windsurf and Cursor
  • Malicious package distribution via marketplace poisoning
  • Bypass of security hardening in environments like Flowise
MCP Vulnerability Impact (Source: OX Security)
MCP Vulnerability Impact (Source: OX Security)

Critical CVE Identifications

The flaw has triggered at least ten CVEs across major AI products. Key unauthenticated RCE vulnerabilities include:

  • CVE-2025-65720 in GPT Researcher
  • CVE-2026-30624 in Agent Zero
  • CVE-2026-30618 in Fay Framework
  • CVE-2026-30617 in Langchain-Chatchat
  • CVE-2026-33224 in Jaaz

Other critical exposures include:

  • CVE-2026-30615: Zero-click prompt injection in Windsurf
  • CVE-2026-26015: Transport-type substitution in DocsGPT (patched)
  • CVE-2026-30625: Allowlist bypass in Upsonic
  • CVE-2026-30623: Authenticated vulnerability (patched) in LiteLLM

Vendor Response and Required Mitigations

Despite over 30 responsible disclosures from OX Security, Anthropic maintains the vulnerability is “expected” and won’t modify the protocol’s architecture. While individual projects patch their tools, the root cause remains unaddressed.

Organizations using MCP services must implement these mitigations immediately:

  • Block public IP access to sensitive AI services
  • Treat all external MCP configuration input as untrusted
  • Install servers exclusively from official MCP directories
  • Run MCP services in isolated sandboxes with restricted permissions
  • Monitor tool invocations for anomalous activity
  • Upgrade vulnerable services or disable user input exposure

Related Articles

Back to top button