Anthropic SDK flaw exposed
- Researchers disclosed a critical remote-code-execution vulnerability in Anthropic's Model Context Protocol SDK. - The exploit reportedly risks exposure across roughly 200,000 AI servers tied to the protocol. - The finding makes agent SDKs and protocol design a supply-chain level security concern for platform owners (tomshardware.com).
Anthropic’s Model Context Protocol software kit contains a design flaw that researchers say can let attackers run commands on vulnerable AI systems. (ox.security) Model Context Protocol, or MCP, is the plumbing that lets an AI app connect to outside tools like GitHub, Slack, Google Drive, and databases instead of answering from the model alone. Anthropic introduced the open standard on November 25, 2024, alongside SDKs and an open-source server repository. (anthropic.com) OX Security published its report on April 15, 2026, and said the issue affects Anthropic’s official MCP SDKs across Python, TypeScript, Java, and Rust. The firm estimated a blast radius of more than 150 million package downloads, 7,000 publicly accessible servers, and up to 200,000 vulnerable instances. (ox.security) The core issue sits in MCP’s standard input/output mode, a local bridge that starts tools by invoking operating-system commands. OX said an attacker who can tamper with MCP configuration can turn that bridge into remote code execution on the host machine. (thehackernews.com) OX said it verified the problem across six live production platforms and linked the same root cause to at least 10 vulnerabilities in downstream products, including LiteLLM, LangChain-Chatchat, Flowise, DocsGPT, Agent Zero, and Windsurf. Some vendors patched their own products, but OX said the protocol-level behavior remains in Anthropic’s reference implementation. (ox.security) (thehackernews.com) Anthropic launched MCP to replace one-off integrations with a single standard, and that design choice helped it spread fast through coding tools, agent frameworks, and enterprise connectors. The same shared SDK layer now means one unsafe default can travel through a long chain of dependent software. (anthropic.com) (github.com) The dispute is partly over whether this is a bug or expected behavior. OX said it repeatedly asked Anthropic for a root fix, while Anthropic told researchers the behavior was “expected,” according to OX and follow-up reporting by The Register. (ox.security) (theregister.com) That leaves developers and platform owners with the cleanup work: audit MCP configurations, restrict standard input/output launches, and treat agent toolchains like software supply chains rather than simple plug-ins. The opening claim in OX’s report is blunt: the risk is no longer limited to one app or one vendor. (securityweek.com) (ox.security)
