Cybersecurity researchers said a critical design flaw in Anthropic’s Model Context Protocol could allow remote code execution across affected systems, with more than 7,000 publicly accessible servers and software packages totaling over 150 million downloads potentially exposed, according to a technical analysis from OX Security.
KEY FACTS
- Scope The issue affects Anthropic’s MCP SDK across supported languages, including Python, TypeScript, Java and Rust.
- Impact Researchers said the flaw can enable arbitrary command execution and expose sensitive data, API keys and chat histories.
- Cases The report ties the weakness to 10 vulnerabilities across projects such as LiteLLM, LangChain, LangFlow, Flowise, LettaAI and LangBot.
- Timing Some affected projects have patched their issues, but the reference implementation remains unchanged.
The report says the problem stems from unsafe defaults in how MCP configuration works over the STDIO transport interface. It says this can turn configuration into command execution, including in cases involving direct STDIO configuration, prompt injection and MCP marketplaces.
Among the issues listed are CVE-2025-65720, CVE-2026-30623, CVE-2026-30624, CVE-2026-30618, CVE-2026-30617, CVE-2026-30625, CVE-2026-30615 and CVE-2026-40933. The disclosure also said similar weaknesses had been reported before in tools including MCP Inspector, LibreChat, WeKnora, @akoskm/create-mcp-server-stdio and Cursor.
Anthropic has declined to change the protocol architecture, saying the behavior is expected, according to the report. Researchers said the result is that downstream developers inherit the risk even when they are using official SDK code.
Recommended mitigations include blocking public IP access to sensitive services, monitoring MCP tool use, sandboxing MCP-enabled services, treating external configuration as untrusted and installing servers only from verified sources.
WHY IT MATTERS
The findings suggest a single protocol choice can spread security risk across multiple languages and products at once. That makes MCP deployments a broader supply chain concern for organizations that rely on AI integrations.