Anthropic MCP Flaw Enables Widespread AI RCE Attacks

Cybersecurity firm OX Security has identified a systemic vulnerability in Anthropic's Model Context Protocol (MCP) architecture that enables remote code execution (RCE) across the AI ecosystem, with cascading implications for the entire AI supply chain.

The flaw, described as "by design" in Anthropic's official MCP software development kit (SDK), stems from unsafe defaults in how MCP configuration interacts with the STDIO (standard input/output) transport interface. This allows attackers to execute arbitrary operating system commands on any system running a vulnerable MCP implementation, regardless of programming language, potentially compromising sensitive user data, internal databases, API keys, and chat histories.

According to OX Security's technical advisory, the vulnerability affects over 7,000 publicly accessible servers and software packages with more than 150 million downloads. The researchers identified 10 distinct CVEs across popular AI frameworks including LangChain, LiteLLM, and Flowise, with some already patched (e.g., CVE-2026-30623 for LiteLLM) while others remain unaddressed.

The root cause lies in MCP's STDIO interface design, which directly translates user-supplied configuration inputs into executable commands without proper sanitization. This enables four attack vectors: unauthenticated command injection via MCP STDIO, bypassing hardening mechanisms, prompt injection via zero-click configurations, and exploitation through MCP marketplaces. As OX Security noted, "Anthropic's Model Context Protocol gives a direct configuration-to-command execution via their STDIO interface on all of their implementations, regardless of programming language."

Notable affected projects include LangFlow (CVE-2025-65720), GPT Researcher (CVE-2025-65720), and Agent Zero (CVE-2026-30624), all of which allow attackers to run arbitrary commands through seemingly benign configuration interfaces. The severity is classified as critical across all instances, with potential for full system compromise without authentication.

This vulnerability represents a significant supply chain risk because MCP is designed as a foundational protocol for AI model interactions. Its adoption across the AI ecosystem means a single flaw in the protocol can propagate to countless applications, making it a high-value target for attackers seeking to compromise AI infrastructure at scale. The OX Security report emphasizes that "this code was meant to be used in order to start a local STDIO server, and give a handle of the STDIO back to the LLM. But in practice it actually lets anyone run any arbitrary OS command."

Developers using MCP-based frameworks are urged to audit their configurations immediately and apply patches where available. The OX Security advisory recommends implementing strict input validation and restricting STDIO interface access to trusted environments until a permanent fix is deployed across all affected implementations. The researchers note that while Anthropic has not publicly acknowledged the vulnerability, the MCP SDK's architecture inherently enables these exploits due to its fundamental design choices.

The discovery underscores growing security challenges in AI infrastructure protocols, where convenience often trumps security in early implementation phases. As AI systems become increasingly interconnected through standardized protocols like MCP, vulnerabilities in foundational components can create systemic risks that extend far beyond individual applications. This incident serves as a critical reminder that security must be embedded in protocol design from the outset, rather than treated as an afterthought in rapidly evolving AI ecosystems.

Artūras Malašauskas is an AI Systems Integrator with 20+ years of production-grade web engineering experience. He has designed, shipped, and scaled enterprise Python/PHP systems for logistics, SaaS, and public-sector clients. For the past year, he has focused exclusively on AI integrations: deploying open-source LLMs, building generative media pipelines (image, audio, video), and engineering multi-agent workflows for real production environments. His standard: reproducibility, security, cost-efficient inference—no vaporware. He documents and evaluates emerging AI tooling, separating verified capabilities from marketing noise. Technical editor at: muza-ai.eu, ai-verslas.lt, ai-naujinos.lt Connect on LinkedIn