Cybersecurity researchers have discovered a critical “design” weakness in the Model Context Protocol (MCP) architecture. This could pave the way for remote code execution and have cascading effects on the artificial intelligence (AI) supply chain.
“This flaw allows arbitrary command execution (RCE) on systems running vulnerable MCP implementations, giving attackers direct access to sensitive user data, internal databases, API keys, and chat history,” OX Security researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar said in an analysis published last week.
The cybersecurity firm said the systemic vulnerability is built into Anthropic’s official MCP software development kit (SDK) across supported languages, including Python, TypeScript, Java, and Rust. Overall, more than 7,000 publicly accessible servers and software packages were affected, totaling more than 150 million downloads.
At issue are insecure defaults in the way the MCP configuration operates on the STDIO (standard input/output) transport interface, resulting in the discovery of 10 vulnerabilities across popular projects including LiteLLM, LangChain, LangFlow, Flowise, LettaAI, and LangBot.
CVE-2025-65720 (GPT Researcher) CVE-2026-30623 (LiteLLM) – Patched CVE-2026-30624 (Agent Zero) CVE-2026-30618 (Fay Framework) CVE-2026-33224 (Bisheng) – Patched CVE-2026-30617 (Langchain-Chatchat) CVE-2026-33224 (Jaaz) CVE-2026-30625 (Upsonic) CVE-2026-30615 (Windsurf) CVE-2026-26015 (DocsGPT) – Patched CVE-2026-40933 (Flowise)
These vulnerabilities fall into four broad categories and effectively allow remote command execution on the server.
Injection of Unauthenticated and Authenticated Commands via MCP STDIO Unauthenticated Command Injection via Direct STDIO Configuration with Hardened Bypass Unauthenticated Command Injection via MCP Configuration Edit with Zero-Click Prompt Injection Unauthenticated Command Injection via MCP Marketplace via Network Requests, Triggering Hidden STDIO Configuration
“Anthropic’s Model Context Protocol enables direct configuration-to-command execution via the STDIO interface on all implementations, regardless of programming language,” the researchers explained.
“This code was intended to be used to start a local STDIO server and return a handle to the STDIO to LLM. However, it actually allows anyone to execute arbitrary OS commands. If the command succeeds in creating the STDIO server, a handle is returned, but if another command is given, an error is returned after the command is executed.”
Interestingly, vulnerabilities based on the same core issue have been reported separately over the past year. These include CVE-2025-49596 (MCP Inspector), LibreChat (CVE-2026-22252), WeKnora (CVE-2026-22688), @akoskm/create-mcp-server-stdio (CVE-2025-54994), and Cursor (CVE-2025-54136) Contains.
However, Anthropic rejected changes to the protocol’s architecture, saying this behavior was “to be expected.” Although some vendors have issued patches, Anthropic’s MCP reference implementation does not address this shortcoming, leaving developers with the risk of code execution.
This finding highlights how AI-powered integration can unintentionally expand the attack surface. To combat this threat, we recommend blocking public IP access to sensitive services, monitoring calls to MCP tools, running MCP-enabled services in a sandbox, treating external MCP configuration input as untrusted, and installing MCP servers only from verified sources.
“What made this a supply chain event rather than a single CVE is that one architectural decision made once silently propagated to every language, every downstream library, and every project that trusted that the protocols were as they appeared,” OX Security said. “Shifting responsibility to the implementer does not transfer risk; it only obscures who created the risk.”
Source link
