Anthropic SDK Vulnerability

A standard that lets chatbots reach into files, databases, and software tools is under new scrutiny after researchers said Anthropic’s Model Context Protocol can be abused for remote code execution. (anthropic.com) (ox.security) Anthropic introduced the Model Context Protocol, or MCP, on Nov. 25, 2024 as an open standard for connecting AI assistants to “content repositories, business tools, and development environments.” Its docs describe MCP as a “USB-C port for AI applications,” with support across tools including Claude, ChatGPT, Cursor, and Visual Studio Code. (anthropic.com) (modelcontextprotocol.io) One common MCP setup is simple: the client launches a server as a subprocess and talks to it over standard input and output, the text streams every command-line program already uses. The protocol specification says clients should support that “stdio” method whenever possible. (modelcontextprotocol.io) OX Security said on April 15, 2026 that this design can let attackers trigger arbitrary operating-system commands on machines running vulnerable MCP implementations. The firm said the issue affects Anthropic’s official SDKs in Python, TypeScript, Java, and Rust. (ox.security) The reported scale is large. OX said the exposure reaches software packages with more than 150 million downloads, more than 7,000 publicly accessible MCP servers, and as many as 200,000 vulnerable instances overall. (ox.security) The dispute is partly about whether this is a bug or an unsafe default. The Register reported Anthropic declined to change the protocol architecture and described the behavior as “expected,” while OX said it had pushed for a protocol-level fix during disclosures that began in November 2025. (theregister.com) Researchers tied the protocol issue to a growing list of downstream flaws. The Register said at least 10 high- and critical-severity Common Vulnerabilities and Exposures, or CVEs, had already been issued in tools built on MCP, and OX named projects including LiteLLM, LangChain, LangFlow, Cursor, Windsurf, and IBM’s LangFlow disclosures in its write-up. (theregister.com) (ox.security) A separate MCP problem had already surfaced in Anthropic’s own tooling. Oligo Security disclosed CVE-2025-49596 on June 27, 2025 in the official MCP Inspector debugging tool, said the bug carried a CVSS severity score of 9.4, and said Anthropic fixed it in version 0.14.1. (oligo.security) The protocol docs already warn that MCP servers using HTTP should validate origin headers, bind to localhost when running locally, and require authentication to avoid DNS rebinding and remote access problems. The new findings shift more attention to the local subprocess path that many developers treated as the safer default. (modelcontextprotocol.io) (theregister.com) For companies deploying AI agents, the practical issue is no longer just what model they run. It is also which MCP servers they install, which commands those servers can spawn, and whether every link in that chain is locked down before the assistant gets access to live systems. (modelcontextprotocol.io) (ox.security)