MCP security flaw

Model Context Protocol, or MCP, is the plumbing many AI apps use to reach files, databases, and other tools — and researchers now say a flaw in that plumbing can let attackers run commands on the host machine. (anthropic.com; modelcontextprotocol.io; ox.security) Anthropic introduced MCP on November 25, 2024 as an open standard for connecting assistants to external systems, and the project was later donated to the Linux Foundation’s Agentic AI Foundation on December 9, 2025. (anthropic.com; anthropic.com) The protocol works like a universal adapter: a host app talks to an MCP client, which then connects to MCP servers that expose tools or data. The specification says clients should support a local “stdio” mode, where the host launches a server process and talks over standard input and output. (modelcontextprotocol.io; modelcontextprotocol.io) OX Security said on April 15, 2026 that this local-process model can be abused when an attacker controls or influences MCP configuration, because the official SDK flow can end up spawning arbitrary operating-system commands. OX said the issue affects the official Python, TypeScript, Java, and Rust SDKs. (ox.security; thehackernews.com) The firm estimated the blast radius at more than 150 million downstream package downloads, more than 7,000 internet-exposed servers, and as many as 200,000 total server instances. Tom’s Hardware and other outlets separately matched the broad outline of those figures in follow-up reporting. (ox.security; thehackernews.com; tomshardware.com) Anthropic did not frame the behavior as a software bug in the same way the researchers did. Multiple reports said the company described the behavior as “by design” and put sanitization and safe use on developers integrating MCP servers. (theregister.com; securityweek.com) That dispute lands as MCP adoption has spread from Anthropic’s own ecosystem into coding tools, orchestration frameworks, and enterprise agents. OX and follow-up reports named downstream projects and products including LangChain, Flowise, LiteLLM, Cursor, Windsurf, Claude Code, and Visual Studio Code integrations. (ox.security; devops-daily.com; thehackernews.com) Security researchers had already been warning that MCP expands the attack surface by giving language models pathways into real systems. In 2025, Oligo Security disclosed a separate critical remote-code-execution flaw, CVE-2025-49596, in the MCP Inspector debugging tool distributed with Anthropic’s SDK. (oligo.security; nvd.nist.gov) The immediate fix is less about one patch than about reducing what any connector can do. Security guidance in the coverage centers on least-privilege tool access, strict review of server configs, and avoiding blind trust in local stdio servers that can start processes on the same machine. (csoonline.com; securityweek.com; modelcontextprotocol.io) For teams racing to add agent features, the warning is simple: every new tool connection is also a new execution path. In MCP’s case, the same standard that made tool use easier also made one design choice travel quickly across the AI software supply chain. (anthropic.com; ox.security; theregister.com)