Anthropic design choice Exposes 150M+ Downloads and up to 200K Servers to complete takeover
The OX Security Research team has uncovered a critical, systemic vulnerability at the core of the Model Context Protocol (MCP) — the industry standard for AI agent communication created and maintained by Anthropic.
This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to sensitive user data, internal databases, API keys, and chat histories.
This is not a traditional coding error. It is an architectural design decision baked into Anthropic’s official MCP SDKs across every supported programming language, including Python, TypeScript, Java, and Rust. Any developer building on the Anthropic MCP foundation unknowingly inherits this exposure.
Key Findings & Blast Radius
Massive Scale: The vulnerability ripples through a supply chain with 150M+ downloads, 7,000+ publicly accessible servers — and up to 200,000 vulnerable instances in total.
Diverse Attack Vectors: Our research identifies four distinct families of exploitation, proving the flaw can be triggered via:
- Unauthenticated UI Injection in popular AI frameworks.
- Hardening Bypasses in “protected” environments like Flowise.
- Zero-Click Prompt Injection in leading AI IDEs (Windsurf, Cursor).
- Malicious Marketplace Distribution (9 out of 11 MCP registries were successfully “poisoned” with a malicious trial balloon).
Real-World Impact: We successfully executed commands on six live production platforms and identified critical vulnerabilities in industry staples like LiteLLM, LangChain, and IBM’s LangFlow.
10 CVEs Issued (and counting)
- Download the full eBook for the complete findings
- Read the technical deep dive
- Read the Security Advisory
| CVE ID | Product | Attack Vector | Severity | Status |
| CVE-2025-65720 | GPT Researcher | UI injection / reverse shell | Critical | Reported |
| CVE-2026-30623 | LiteLLM | Authenticated RCE via JSON config | Critical | Patched |
| CVE-2026-30624 | Agent Zero | Unauthenticated UI injection | Critical | Reported |
| CVE-2026-30618 | Fay Framework | Unauthenticated Web-GUI RCE | Critical | Reported |
| CVE-2026-33224 | Bisheng | Authenticated UI injection (Open Registration) | Critical | Patched |
| CVE-2026-30617 | Langchain-Chatchat | Unauthenticated UI injection | Critical | Reported |
| CVE-2026-33224 | Jaaz | Unauthenticated UI injection | Critical | Reported |
| CVE-2026-30625 | Upsonic | Allowlist bypass via npx/npm args | High | Warning |
| CVE-2026-30615 | Windsurf | Zero-click prompt injection to local RCE | Critical | Reported |
| CVE-2026-26015 | DocsGPT | MITM transport-type substitution | Critical | Patched |
Vendor Response
We repeatedly recommended root patches to Anthropic – that would have instantly protected millions of downstream users; however, they declined to modify the protocol’s architecture, citing the behavior as “expected.” We subsequently notified Anthropic of our intent to publish these findings, to which they raised no objection.
Through over 30 responsible disclosures and 10+ High/Critical CVEs, OX Security has worked to patch individual projects. However, the root cause remains unaddressed at the protocol level.
Last week Anthropic unveiled Claude Mythos to help secure the world’s software. This research is a call to apply that same commitment closer to home — starting with a “Secure by Design” architecture and taking responsibility for the AI supply chain they created.
Remediation: What Can You Do About it?
Block Public IP Access to Sensitive Services Sensitive services such as LLM and AI enablers and research tools are connected to highly sensitive APIs and databases, never expose them to the internet when possible.
Treat External MCP Configuration Input as Untrusted Always assume that if user input reaches downstream configurations for StdioServerParameters or similar functions, it directly exposes command execution, you should either block it completely or let user input execute only trusted pre-configured commands.
Use Official MCP Directories Only Only Install MCP servers from verified sources (like the official GitHub MCP Registry) to avoid potentially malicious MCP servers and typosquatting attacks.
Run Your MCP Enabled Services Inside a Sandbox This would restrict permissions and mitigate access from exposed services to be able to reach external databases, configurations and API keys. Never give a server full disk access or shell execution privileges unless absolutely necessary for its specific function.
Monitor Tool Invocations Keep a close eye on what tools your AI agent is actually calling. Be wary of any “background” activity or tools that attempt to exfiltrate data to unknown external URLs. If possible, implement IP and URL blocking.
Upgrade to the Latest Versions Any of the affected services should be updated, if the service doesn’t have a fixed version, don’t expose it to user input or disable it until patched.
OX Customers
Following this research, OX Security has shipped protections across its platform.
VibeSec / AI-Generated Code OX now detects improper use of STDIO-based MCP configurations in AI-generated code, blocking patterns where user input flows directly into STDIO MCP configuration — the root pattern documented in this research.
OX Security Platform OX now flags existing STDIO MCP configurations in customer codebases where user input is present, surfacing these as actionable findings for remediation.
For More Information
- Download the full eBook for the complete findings
- Read the technical deep dive
- Read the Security Advisory
)
