A design flaw – or expected behavior based on a bad design choice, depending on who is telling the story – baked into Anthropic's official Model Context Protocol (MCP) puts as many as 200,000 servers at risk of complete takeover, according to security researchers.

The Ox research team says they "repeatedly" asked Anthropic to patch the root issue, and were repeatedly told the protocol works just fine, thank you, despite 10 (so far) high- and critical-severity CVEs issued for individual open source tools and AI agents that use MCP. A root patch, according to Ox, could have reduced risk across software packages totaling more than 150 million downloads and protected millions of downstream users.

Anthropic "declined to modify the protocol's architecture, citing the behavior as 'expected,'" Ox researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar said in a blog about their research, which began in November 2025 and included more than 30 responsible disclosure processes.

A week after their initial report to Anthropic, the AI vendor quietly released an updated security policy – as seems to be the pattern when faced with AI bugs. The updated guidance says MCP adapters, specifically STDIO ones, should be used with caution, the team wrote in a subsequent 30-page paper [PDF]. "This change didn't fix anything," they added.

Anthropic did not respond to The Register's inquiries for this story.

According to the security sleuths, the root issue lies in MCP, an open source protocol originally developed by Anthropic that LLMs, AI applications, and agents use to connect to external data, systems, and one another. It works across programming languages – which means any developer using Anthropic's official MCP software development kit across any supported language, including Python, TypeScript, Java, and Rust, inherits this vulnerability.

MCP uses STDIO (standard input/output) as a local transport mechanism for an AI application to spawn an MCP server as a subprocess. "But in practice it actually lets anyone run any arbitrary OS command, if the command successfully creates an STDIO server it will return the handle, but when given a different command, it returns an error after the command is executed," the Ox researchers wrote.

Abusing this logic can lead to four different types of vulnerabilities.

All roads lead to RCE

The first type of vulnerability, unauthenticated and authenticated command injection, allows an attacker to enter user-controlled commands that will run directly on the server without authentication or sanitization. This can lead to total system compromise, and any AI framework with a publicly facing UI is vulnerable, we're told.

Vulnerable projects include all versions of LangFlow, IBM's open source low-code framework for building AI applications and agents, according to the researchers. They say they disclosed the issue to LangFlow on January 11, and no CVE has been issued.

It also affects GPT Researcher, an open source AI agent designed for deep research, and while it doesn't yet have a patch, this one does have a CVE tracker (CVE-2025-65720).

The second attack vector, unauthenticated command injection with hardening bypass, allows miscreants to bypass protections and user input sanitization implemented by developers to run commands directly on the server. 

Both Upsonic (CVE-2026-30625) and Flowise (GHSA-c9gw-hvqq-f33r) have hardened against command injection by allowing only certain commands to run, such as "python," "npm," and "npx." This, in theory, should have made it impossible to directly send the command through the "command" parameter.

And yet? "We were able to bypass this behavior by indirectly injecting the command via the allowed command's arguments, for example -'npx -c <command>,'" the Ox team wrote.

The third type of vulnerability allows zero-click prompt injection across AI integrated development environments (IDEs) and coding assistants such as Windsurf, Claude Code, Cursor, Gemini-CLI, and GitHub Copilot.

However, the only issued CVE that addresses this class of vuln is for Windsurf (CVE-2026-30615). It is also the only true zero-click vuln in that the user's prompt directly influences the MCP JSON configuration with no user interaction.

All of the other IDEs and vendors – including Google, Microsoft, and Anthropic – said this was a known issue, or not a valid security vulnerability because it requires explicit user permission to modify the file.

• Anthropic quietly fixed flaws in its Git MCP server that allowed for remote code execution
• Agents hooked into GitHub can steal creds – but Anthropic, Google, and Microsoft haven't warned users
• Nobody knows how many CVEs Anthropic's Project Glasswing has actually found
• Anthropic will let your agents sleep on its couch

Finally, the fourth vulnerability family can be delivered through MCP marketplaces, and the threat hunters say they "successfully poisoned" nine out of 11 of these marketplaces – but using a proof-of-concept MCP that runs a command generating an empty file, not malware.

"The marketplaces that accepted our submission include platforms with hundreds of thousands of monthly visitors," the security shop wrote. "A single malicious MCP entry in any of these directories could be installed by thousands of developers before detection – each installation giving an attacker arbitrary command execution on the developer's machine."

Ox argues that Anthropic has the ability and responsibility "to make MCP secure by default."

"One architectural change at the protocol level would have protected every downstream project, every developer, and every end user who relied on MCP today," the researchers wrote. "That's what it means to own the stack." ®

More about

• AI
• Anthropic
• Open Source

More like these