Anthropic MCP Design Vulnerability Allows RCE, Endangering AI Supply Chain

Key Takeaways

• A “by‑design” flaw in Anthropic’s Model Context Protocol (MCP) SDK allows unauthenticated arbitrary command execution on any system running a vulnerable implementation.
• The vulnerability stems from unsafe defaults in the STDIO transport interface, letting attackers turn a routine configuration request into full remote code execution (RCE).
• More than 7,000 public servers and over 150 million downloads across Python, TypeScript, Java, and Rust packages are affected, impacting popular AI integrations such as LiteLLM, LangChain, LangFlow, Flowise, and others.
• Attack vectors fall into four categories: unauthenticated/authenticated command injection via STDIO, hardening‑bypass injection, zero‑click prompt‑injection configuration edits, and marketplace‑driven hidden STDIO triggers.
• Independent researchers have previously reported similar issues (e.g., CVE‑2025‑49596, CVE‑2026‑22252), indicating the problem has been known for over a year.
• Anthropic considers the behavior “expected” and has not changed the reference SDK, leaving downstream developers to inherit the risk.
• Mitigations include blocking public IP access to MCP services, monitoring tool invocations, sandboxing MCP‑enabled components, treating external MCP input as untrusted, and installing servers only from verified sources.

Overview of the Vulnerability
Cybersecurity researchers from OX Security identified a critical architectural weakness in the Model Context Protocol (MCP) that enables arbitrary command execution (RCE) on any host running a vulnerable MCP implementation. The flaw is present in the official MCP software development kit (SDK) supplied by Anthropic and affects all supported language bindings—Python, TypeScript, Java, and Rust. Because the SDK is widely reused, more than 7,000 publicly accessible servers and over 150 million cumulative downloads of MCP‑based packages are exposed. The vulnerability is not a traditional bug in code logic but a “by‑design” outcome of how the STDIO (standard input/output) transport interface is configured by default, turning a benign configuration request into a gateway for executing arbitrary operating‑system commands.

Technical Details of the Flaw
The MCP SDK is intended to facilitate communication between a large language model (LLM) and local tools by spawning a local STDIO server and returning a handle to the LLM. In practice, the SDK does not sufficiently validate or sanitize the commands used to launch this STDIO server. When an attacker supplies a malicious command (e.g., rm -rf / or a reverse‑shell payload) as part of the MCP configuration, the SDK still attempts to start the server. If the command succeeds in creating an STDIO channel, the SDK returns the handle to the LLM; if it fails, the SDK returns an error after the command has already been executed. Consequently, any command that can be framed as a valid STDIO server launch will run with the privileges of the MCP process, granting the attacker direct access to the host’s filesystem, environment variables, API keys, databases, and chat histories. The issue is language‑agnostic because the unsafe logic resides in the core SDK shared across all bindings.

Impact on the AI Supply Chain
Given MCP’s role as a bridge between LLMs and external tools, the vulnerability propagates through the AI supply chain like a transitive dependency. Projects that integrate MCP to expose model capabilities—such as retrieval‑augmented generation (RAG) frameworks, agent platforms, and chatbot builders—inherit the execution risk without necessarily being aware of the underlying flaw. The researchers noted that the flaw has led to the discovery of ten distinct CVEs across popular ecosystems, each reflecting a different project’s specific usage pattern but sharing the same root cause. Because the vulnerability is present in the reference implementation, even projects that have patched their own wrappers remain exposed if they continue to rely on the unpatched Anthropic SDK.

List of Affected Projects and CVEs
The analysis enumerated the following vulnerabilities, all traced back to the MCP STDIO design flaw:

• CVE‑2025-65720 – GPT Researcher
• CVE‑2026-30623 – LiteLLM (patched)
• CVE‑2026-30624 – Agent Zero
• CVE‑2026-30618 – Fay Framework
• CVE‑2026-33224 – Bisheng (patched)
• CVE‑2026-30617 – Langchain‑Chatchat
• CVE‑2026-33224 – Jaaz
• CVE‑2026-30625 – Upsonic
• CVE‑2026-30615 – Windsurf
• CVE‑2026-26015 – DocsGPT (patched)
• CVE‑2026-40933 – Flowise

These CVEs illustrate how the same underlying weakness manifests in varied contexts, from documentation assistants to agent‑orchestration platforms.

Categories of Attack Vectors
The researchers grouped the exploitation methods into four broad categories, each achieving unauthenticated RCE via the MCP STDIO interface:

1. Unauthenticated and Authenticated Command Injection via MCP STDIO – Direct manipulation of the STDIO launch command without needing any prior authentication.
2. Unauthenticated Command Injection via Direct STDIO Configuration with Hardening Bypass – Exploiting missing or insufficient hardening checks that are meant to restrict permissible commands.
3. Unauthenticated Command Injection via MCP Configuration Edit through Zero‑Click Prompt Injection – Injecting malicious configuration via prompts or messages that are automatically processed by the LLM, leading to silent STDIO server creation.
4. Unauthenticated Command Injection through MCP Marketplaces via Network Requests, Triggering Hidden STDIO Configurations – Leveraging public plugin or marketplace endpoints that silently invoke MCP with attacker‑controlled parameters.

Each pathway demonstrates how the protocol’s flexibility, intended for extensibility, can be weaponized when security assumptions are not enforced.

Independent Related Findings
Prior to the OX Security disclosure, several researchers reported similar issues that trace back to the same MCP STDIO weakness:

• CVE‑2025-49596 – MCP Inspector
• CVE‑2026-22252 – LibreChat
• CVE‑2026-22688 – WeKnora
• CVE‑2025-54994 – @akoskm/create-mcp-server-stdio
• CVE‑2025-54136 – Cursor

These independent reports underscore that the vulnerability has been present for over a year and that the community has repeatedly observed its exploitation in disparate projects. The persistence of the flaw across time highlights a systemic gap between the protocol’s design intentions and its real‑world security posture.

Anthropic’s Response and Mitigation Guidance
Anthropic has stated that the observed behavior is “expected” and has declined to alter the reference MCP SDK architecture, arguing that the STDIO interface is deliberately permissive to support legitimate use cases. Consequently, the risk remains embedded in the official implementation, and downstream developers inherit it unless they take explicit defensive measures. OX Security recommends a layered mitigation strategy:

• Network‑level controls – Block public IP access to any service exposing MCP endpoints; restrict MCP traffic to trusted internal networks.
• Runtime monitoring – Log and alert on atypical MCP tool invocations, especially those spawning unexpected processes or accessing sensitive files.
• Sandboxing – Run MCP‑enabled components in isolated containers or virtual machines with minimal privileges and no direct access to production data.
• Input validation – Treat any external MCP configuration (including user‑supplied prompts that may affect configuration) as untrusted; apply strict allow‑lists for permissible commands and arguments.
• Supply‑chain hygiene – Install MCP servers only from verified, signed sources; audit third‑party MCP plugins for reliance on the unpatched SDK.

By combining these controls, organizations can reduce the likelihood of exploitation while awaiting a potential upstream fix from Anthropic or a community‑driven hardened fork.

Conclusion and Recommendations
The MCP STDIO vulnerability exemplifies how a single architectural decision—allowing arbitrary command execution as part of a legitimate configuration handshake—can cascade through an entire AI supply chain, affecting thousands of projects and millions of downloads. The flaw’s language‑agnostic nature means that mitigations cannot rely on patching a specific library version; instead, they must address the underlying trust model of MCP itself. Organizations using MCP‑based integrations should immediately implement network segmentation, strict input validation, and sandboxed execution, while pressing Anthropic and the broader MCP community to reconsider the protocol’s default behavior or provide an opt‑in secure mode. Until such changes are made, treating MCP configuration channels as untrusted input channels remains the most effective defense against the persistent risk of remote code execution.