Key Findings

• Critical "by design" vulnerability in Anthropic's Model Context Protocol (MCP) architecture enables remote code execution (RCE) on any system running vulnerable MCP implementations

• Unsafe defaults in STDIO transport interface configuration allow attackers to execute arbitrary OS commands and access sensitive data, API keys, and chat histories

• Vulnerability affects over 7,000 publicly accessible servers and software packages totaling more than 150 million downloads

• At least 15 CVEs identified across popular projects including LiteLLM, LangChain, LangFlow, Flowise, and others

• Anthropic has declined to modify the protocol architecture, labeling the behavior as "expected"

• Vulnerability propagated across all supported languages (Python, TypeScript, Java, Rust) creating a supply chain risk

Background

The Model Context Protocol is Anthropic's framework that enables large language models to interact with external tools and data sources through standardized interfaces. The STDIO (standard input/output) transport is one method MCP uses to communicate between clients and servers. The flaw exists in how MCP configuration works over this interface, creating a pathway for attackers to inject arbitrary commands that get executed with the privileges of the running service.

The Core Technical Issue

The vulnerability stems from how Anthropic designed the STDIO interface to start local servers. When MCP receives a command string in configuration, it attempts to execute it as a server startup command. The system returns a handle if the command successfully creates a STDIO server. The critical flaw: even when a command fails to create a server, the OS command still executes before the error is returned.

This means attackers can inject any operating system command, and it will run regardless of whether it establishes a valid STDIO server. The architecture treats all command inputs as executable instructions rather than validating them first.

Attack Vector Categories

Four distinct attack paths exploit this vulnerability:

• Unauthenticated and authenticated command injection via MCP STDIO, allowing direct execution on configured servers

• Unauthenticated command injection through direct STDIO configuration with attempts to bypass security hardening

• Unauthenticated command injection through zero-click prompt injection embedded in MCP configuration edits

• Unauthenticated command injection through MCP marketplaces via network requests that trigger hidden STDIO configurations

Supply Chain Impact

What makes this a supply chain event rather than isolated incidents is that one architectural decision in Anthropic's reference implementation silently propagated into every downstream library, programming language, and project that integrated MCP. Developers building on the protocol inherited the vulnerability unknowingly.

OX Security researchers documented 10 primary CVEs across major AI infrastructure projects. Independently reported vulnerabilities dating back over a year show the same root cause affecting projects like MCP Inspector, LibreChat, WeKnora, and Cursor. The scope reveals how a single design choice can expand attack surface across the entire AI ecosystem.

Anthropic's Response

Anthropic has declined to address the architectural issue, characterizing the behavior as expected functionality. While some vendors have released patches for their specific implementations, the vulnerability remains present in Anthropic's official MCP reference implementation across all supported languages. This means any developer using the reference implementation as a foundation continues to inherit the flaw.

The company's stance effectively shifts responsibility to implementers rather than addressing the root cause, leaving the fundamental vulnerability in place.

Mitigation Recommendations

Organizations can reduce exposure by implementing several defensive measures:

• Block public IP access to sensitive services running MCP implementations

• Monitor and log all MCP tool invocations for suspicious patterns

• Run MCP-enabled services in isolated sandbox environments

• Treat all external MCP configuration input as untrusted data

• Only install MCP servers from verified sources rather than public repositories

• Segment networks to limit lateral movement if a server is compromised

Sources

• https://thehackernews.com/2026/04/anthropic-mcp-design-vulnerability.html

• https://x.com/jedisct1/status/2046189367832560109

• https://www.linkedin.com/posts/the-cyber-security-hub_anthropic-mcp-design-vulnerability-enables-activity-7452034752100069376-VNp4