AI/TLDR

OX Security · 2026-04-15 · major

Anthropic MCP Design Flaw Enables RCE Across 150M+ Downloads

OX Security found Anthropic's MCP STDIO transport allows arbitrary command execution by design. 11 CVEs across LiteLLM, Windsurf, Flowise, DocsGPT, LangChain, and others — 150M+ downloads affected. Anthropic declined to fix the protocol, calling it expected behavior.

Anthropic MCP design vulnerability — RCE supply chain risk across AI tools including Claude Code, Cursor, and Windsurf

A design choice in Anthropic's MCP STDIO transport lets any malicious server run OS commands on the developer's machine — Anthropic says it's working as intended.

Key specs

Downloads affected150M+
Vulnerable public servers7,000+
Cves issued11
Live platforms exploited6

What is it?

OX Security published research on April 15, 2026, showing that Anthropic's Model Context Protocol (MCP) STDIO transport interface enables arbitrary command execution on any host running a vulnerable MCP implementation. The flaw is not a coding bug but an architectural decision — MCP's official SDKs (Python, TypeScript, Java, Rust) all use STDIO defaults that allow direct configuration-to-OS-command execution without sanitization.

How does it work?

MCP servers expose a STDIO transport that accepts tool calls from a connected AI agent. The protocol design does not restrict which OS commands those tools can invoke, so a malicious or compromised MCP server can run arbitrary shell commands with the privileges of the developer's process. OX Security documented four exploitation families: unauthenticated UI injection in AI frameworks; hardening bypass via indirect injection; zero-click prompt injection in AI IDEs like Windsurf and Cursor; and distribution of malicious MCP servers through registries (9 of 11 tested registries were exploitable). 11 CVEs have been issued covering LiteLLM, Bisheng, DocsGPT, Flowise, Agent Zero, Windsurf, Jaaz, LangChain-Chatchat, and others.

Why does it matter?

MCP is the protocol running under Claude Code, Cursor, Windsurf, VS Code's Claude extension, Gemini CLI, LiteLLM, and LangChain. With 150M+ downloads and 7,000+ public servers, installing a single compromised MCP server gives an attacker persistent code execution on the developer's machine. Anthropic has declined to modify the protocol architecture, saying sanitization is the developer's responsibility — leaving the entire MCP ecosystem dependent on every server author handling this correctly.

Who is it for?

Developers and teams using any MCP-compatible coding agent or AI IDE

Try it

Audit your active MCP servers — only connect to servers you control or have reviewed source code for

Sources · 2 outlets

Tags

  • mcp
  • security
  • rce
  • cve
  • supply-chain
  • command-injection
  • claude-code
  • cursor
  • windsurf
  • langchain
  • litellm

← All releases · Learn AI