Anthropic protocol flaw

Model Context Protocol is the plumbing many AI apps use to reach files, databases and software tools — and researchers say a flaw in that plumbing can let attackers run commands on the host machine. (anthropic.com) (modelcontextprotocol.io) (ox.security) Anthropic introduced Model Context Protocol, or MCP, on November 25, 2024 as an open standard for linking AI assistants to external systems through MCP servers and clients. The specification says the protocol exposes “arbitrary data access and code execution paths,” and tells implementers to add consent and access controls around that power. (anthropic.com) (modelcontextprotocol.io) On April 15, 2026, OX Security said the official MCP software development kits in Python, TypeScript, Java and Rust contain an architectural weakness that can lead to arbitrary command execution. The firm said the issue reaches more than 150 million downloads, 7,000 public servers and as many as 200,000 vulnerable instances. (ox.security) (thehackernews.com) The basic problem is how some MCP setups start local programs: if an attacker can tamper with configuration or arguments before the server launches, the machine can end up executing the attacker’s command instead. OX Security said it traced that behavior to server-spawn patterns in the official SDKs rather than to one downstream app. (ox.security) (securityweek.com) OX Security said it demonstrated four attack paths, including user-interface injection in web apps, bypasses in Flowise, zero-click prompt injection in Windsurf and Cursor, and poisoned listings in MCP registries. The firm said it executed commands on six production platforms and listed 10 related CVEs affecting downstream products such as LiteLLM, LangChain integrations and IBM’s LangFlow. (ox.security) That lands in an ecosystem that has been moving fast. Anthropic’s launch post named early adopters including Block and Apollo, and said companies such as Zed, Replit, Codeium and Sourcegraph were already working with MCP in late 2024. (anthropic.com) Security concerns around MCP were already surfacing before this disclosure. On June 27, 2025, Oligo disclosed CVE-2025-49596, a critical bug in Anthropic’s MCP Inspector tool, and said Anthropic fixed it in version 0.14.1. (oligo.security) Anthropic has not publicly framed the new issue as a protocol bug. Multiple reports said the company told researchers the behavior was “expected” and that sanitizing inputs belongs to developers building MCP implementations. (theregister.com) (itpro.com) (tech.yahoo.com) The dispute is over where security should live in an agent stack that now spans SDKs, registries, desktop tools and cloud services. The protocol docs already warn that MCP can touch data and execute code, but the new research argues those defaults are too easy to wire up unsafely at scale. (modelcontextprotocol.io) (ox.security) For teams using MCP, the immediate work is narrower process launching, stricter input handling and tighter review of any server package or registry entry they trust. The larger test for MCP’s backers is whether an open protocol for AI tools can keep spreading without turning every connector into a new place to lose control of the machine behind it. (modelcontextprotocol.io) (claude.com) (ox.security)