Anthropic MCP Security Flaw: RCE Vulnerabilities and Remediation Guide

A systemic design flaw in the Model Context Protocol (MCP) has exposed hundreds of thousands of AI agent deployments to remote code execution, according to research from OX Security. The vulnerability stems from the protocol’s default STDIO transport, which allows for the execution of operating system commands without sanitization or execution boundaries.

Anthropic created MCP as an open standard for communication between AI agents and tools. The protocol gained rapid industry adoption, with OpenAI adopting it in March 2025 and Google DeepMind following. In December 2025, Anthropic donated the protocol to the Linux Foundation. Since then, downloads for the protocol have exceeded 150 million.

Researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar of OX Security identified that the STDIO transport—the default method for connecting an AI agent to a local tool—executes any operating system command it receives. The researchers found 7,000 servers on public IP addresses with active STDIO transport and estimate that there are 200,000 total vulnerable instances.

The security gap has resulted in more than 10 CVEs rated as high or critical across a wide array of tools, including LiteLLM, LangFlow, Flowise, Windsurf, Langchain-Chatchat, Bisheng, DocsGPT, GPT Researcher, Agent Zero, and LettaAI. OX Security confirmed arbitrary command execution on six live production platforms serving paying customers.

Architectural Disagreement on Responsibility

Anthropic has confirmed that the behavior is by design and has declined to modify the protocol. While Anthropic has not issued a standalone public statement, the company described the behavior as expected. According to OX Security, Anthropic characterizes the STDIO execution model as a secure default and maintains that input sanitization is the responsibility of the developer.

Anthropic’s technical counter-argument is that sanitizing STDIO would either break the transport’s core function or simply move the payload one layer deeper. Because STDIO is designed to launch local processes on the machine that configured it, Anthropic views the trust boundary as residing with the person who controls the configuration file.

OX Security argues that expecting 200,000 developers to correctly sanitize inputs is a failure of the protocol’s architecture. The researchers noted that shifting responsibility to implementers does not remove the risk, but merely obscures its origin.

“MCP stdio is a privileged execution surface, not a connector. Enterprise teams should treat it like production shell access. Deny by default, allowlist, sandbox and stop assuming downstream input validation will hold at scale,”

Carter Rees, VP of AI and Machine Learning at Reputation

Exploitation Vectors and Product Impact

The vulnerability manifests across four primary exploitation families. The first involves unauthenticated command injection through AI framework web interfaces, which was demonstrated against LiteLLM and LangFlow. The second involves bypassing command allowlists via argument injection, specifically using npx -c, as demonstrated against Upsonic and Flowise.

A third vector involves zero-click prompt injection in AI coding IDEs. In this scenario, malicious HTML can modify local MCP configuration files. Windsurf (CVE-2026-30615) was identified as the only IDE where this exploitation required zero user interaction. Other tools, including Gemini-CLI, Claude Code, and Cursor, are vulnerable to the same family of attacks, though they generally require some form of user interaction.

Finally, OX Security found that malicious packages could be distributed through MCP registries. The researchers submitted a benign proof-of-concept to 11 registries; nine of them accepted the submission without any security review.

Patch Status and Remaining Gaps

While several vendors have released patches, these updates address specific entry points rather than the underlying protocol. No product-level patch has changed the MCP protocol’s STDIO behavior.

• LiteLLM: Fixed in v1.83.7-stable or later (CVE-2026-30623), though new STDIO configurations outside LiteLLM remain insecure.
• Cursor: Patched against an earlier disclosure (CVE-2025-54136), but still inherits the protocol default.
• LangFlow: Partial fix; users are advised to block public auto_login and sandbox MCP services.
• Windsurf and Langchain-Chatchat: As of May 1, 2026, these remain in a reported state with unconfirmed patches.
• Flowise and Upsonic: Hardened, but OX Security confirmed that allowlists can be bypassed.

The Cloud Security Alliance independently confirmed the findings of OX Security in a research note and recommended that organizations treat MCP-connected infrastructure as an active, unpatched threat.

“MCP is shipping with the same mistake we’ve seen in every major protocol rollout: insecure defaults. If we don’t build authentication and least privilege in from day one, we’ll be cleaning up breaches for the next decade.”

Merritt Baer, chief security officer at Enkrypt AI

Anthropic updated its SECURITY.md file in January 2026 to advise that STDIO adapters should be used with caution, but the company has not implemented manifest-only execution or command allowlists in the official SDKs for Python, TypeScript, Java, and Rust.