Critical Anthropic MCP Vulnerability Lets Attackers Remotely Execute Code
Key Takeaways A critical design flaw in Anthropic’s Model Context Protocol (MCP) SDKs allows for remote code execution. The vulnerability affects an estimated 150 million downloads and up to...
Key Takeaways
- A critical design flaw in Anthropic’s Model Context Protocol (MCP) SDKs allows for remote code execution.
- The vulnerability affects an estimated 150 million downloads and up to 200,000 servers.
- Discovered by OX Security, the architectural flaw impacts all supported programming languages (Python, TypeScript, Java, Rust).
- Successful exploitation can lead to full system takeover, exposing sensitive data, API keys, and chat histories.
- While some critical CVEs have been patched, many high-profile projects remain vulnerable.
Critical Flaw in Anthropic’s MCP Exposes Millions to Remote Code Execution
A significant architectural vulnerability within Anthropic’s Model Context Protocol (MCP) software development kits (SDKs) could enable attackers to execute arbitrary code remotely, threatening an estimated 150 million downloads and potentially compromising up to 200,000 servers globally. This critical flaw was identified by the OX Security Research team.
Table Of Content
Deep-Seated Design Flaw
Unlike a typical coding error, the vulnerability stems from a fundamental design decision embedded directly into Anthropic’s official MCP SDKs across all supported languages, including Python, TypeScript, Java, and Rust. This means that any developer building applications on the MCP foundation inadvertently inherits this critical exposure from the outset, making it an architectural rather than an implementation-specific weakness.
The flaw specifically facilitates Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation. Successful exploitation grants threat actors direct access to highly sensitive information, including user data, internal databases, API keys, and chat histories, effectively yielding complete control over the compromised environment.
Exploitation Vectors Identified
OX Security researchers categorized the potential exploitation into four distinct families:
- Unauthenticated UI Injection: Targeting popular AI frameworks through unauthenticated user interface vulnerabilities.
- Hardening Bypasses: Circumventing supposed protections in environments like Flowise.
- Zero-Click Prompt Injection: Exploiting AI integrated development environments (IDEs) such as Windsurf and Cursor without requiring user interaction.
- Malicious Marketplace Distribution: Demonstrating how 9 out of 11 MCP registries could be successfully poisoned with malicious test payloads.
The research team confirmed successful command execution on six live production platforms, highlighting critical vulnerabilities in prominent projects like LiteLLM, LangChain, and IBM’s LangFlow.
Patching Status and Vendor Response
The discovery led to the issuance of at least 10 CVEs across several high-profile projects. While some critical flaws, such as CVE-2026-30623 in LiteLLM and CVE-2026-33224 in Bisheng, have received patches, many others remain unaddressed. Tools like GPT Researcher, Agent Zero, Windsurf, and DocsGPT are currently in a “reported” but unpatched state.
OX Security advocated for a protocol-level patch directly to Anthropic, which would have immediately safeguarded millions of downstream users. However, Anthropic declined this recommendation, characterizing the observed behavior as “expected.” The company did not object to the researchers’ intent to publicly disclose their findings.
This response from Anthropic comes shortly after the company unveiled Claude Mythos, a tool marketed for securing software. Researchers view this contrast as a clear call for Anthropic to prioritize “Secure by Design” principles within its own foundational infrastructure.
What You Should Do
- Isolate AI Services: Block public internet access to any AI services that are connected to sensitive APIs or databases.
- Validate Inputs: Treat all external MCP configuration inputs as untrusted. Implement strict validation and restrict user-controlled inputs, especially for STDIO parameters.
- Verify Sources: Install MCP servers exclusively from verified, official sources, such as the official GitHub MCP Registry.
- Sandbox Environments: Run all MCP-enabled services within sandboxed environments configured with strictly limited permissions.
- Monitor Activity: Continuously monitor all tool invocations for any signs of unexpected background activity or attempts at data exfiltration.
- Apply Updates: Immediately update all affected services and projects to their latest patched versions as they become available.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.