- A critical “by design” flaw in Anthropic’s Model Context Protocol places over 7,000 public servers and software packages with over 150 million downloads at risk.
- The vulnerability enables remote code execution on vulnerable MCP implementations, granting attackers access to sensitive data, databases, and API keys.
- The core issue is unaddressed in Anthropic’s official SDK, propagating the risk across the AI supply chain to numerous downstream projects.
- Cybersecurity researchers published their findings in April 2026, detailing ten specific CVEs affecting major AI frameworks and tools.
Cybersecurity researchers from OX Security revealed in April 2026 a systemic flaw baked into the architecture of Anthropic’s Model Context Protocol. This weakness could pave the way for remote code execution and cascade through the artificial intelligence supply chain, according to their published analysis.
The critical vulnerability exists in the official MCP software development kit across languages like Python and Rust. Consequently, it affects more than 7,000 publicly accessible servers and software packages totaling over 150 million downloads.
“This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to sensitive user data, internal databases, API keys, and chat histories,” the researchers said. The issue stems from unsafe defaults in how MCP configuration works over the STDIO transport interface.
As a result, ten vulnerabilities across popular projects including LiteLLM, LangChain, and Flowise have been identified. These fall under four broad categories that effectively trigger remote command execution on the server.
Anthropic has declined to modify the protocol’s architecture, citing the behavior as “expected.” Meanwhile, the shortcoming remains unaddressed in their MCP reference implementation, causing developers to inherit the code execution risks.
The researchers explained, “Anthropic’s Model Context Protocol gives a direct configuration-to-command execution via their STDIO interface on all of their implementations.” They further stated that shifting responsibility to implementers does not transfer the risk but obscures who created it.
To counter the threat, blocking public IP access to sensitive services and monitoring MCP tool invocations is advised. Running MCP-enabled services in a sandbox and treating external configuration input as untrusted are also recommended.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
