Cybersecurity researchers have found a important “by design” weak point within the Mannequin Context Protocol’s (MCP) structure that might pave the way in which for distant code execution and have a cascading impact on the substitute intelligence (AI) provide chain.
“This flaw permits Arbitrary Command Execution (RCE) on any system working a weak MCP implementation, granting attackers direct entry to delicate person knowledge, inner databases, API keys, and chat histories,” OX Safety researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar mentioned in an evaluation revealed final week.
The cybersecurity firm mentioned the systemic vulnerability is baked into Anthropic’s official MCP software program growth equipment (SDK) throughout any supported language, together with Python, TypeScript, Java, and Rust. In all, it impacts greater than 7,000 publicly accessible servers and software program packages totaling greater than 150 million downloads.
At difficulty are unsafe defaults in how MCP configuration works over the STDIO (commonplace enter/output) transport interface, ensuing within the discovery of 10 vulnerabilities spanning in style tasks like LiteLLM, LangChain, LangFlow, Flowise, LettaAI, and LangBot –
- CVE-2025-65720 (GPT Researcher)
- CVE-2026-30623 (LiteLLM) – Patched
- CVE-2026-30624 (Agent Zero)
- CVE-2026-30618 (Fay Framework)
- CVE-2026-33224 (Bisheng) – Patched
- CVE-2026-30617 (Langchain-Chatchat)
- CVE-2026-33224 (Jaaz)
- CVE-2026-30625 (Upsonic)
- CVE-2026-30615 (Windsurf)
- CVE-2026-26015 (DocsGPT) – Patched
- CVE-2026-40933 (Flowise)
These vulnerabilities fall underneath 4 broad classes, successfully triggering distant command execution on the server –
- Unauthenticated and authenticated command injection by way of MCP STDIO
- Unauthenticated command injection by way of direct STDIO configuration with hardening bypass
- Unauthenticated command injection by way of MCP configuration edit via zero-click immediate injection
- Unauthenticated command injection via MCP marketplaces by way of community requests, triggering hidden STDIO configurations
“Anthropic’s Mannequin Context Protocol offers a direct configuration-to-command execution by way of their STDIO interface on all of their implementations, no matter programming language,” the researchers defined.
“As this code was meant for use with a view to begin an area STDIO server, and provides a deal with of the STDIO again to the LLM. However in observe it really lets anybody run any arbitrary OS command, if the command efficiently creates an STDIO server it would return the deal with, however when given a unique command, it returns an error after the command is executed.”
Curiously, vulnerabilities primarily based on the identical core difficulty have been reported independently over the previous 12 months. They embody CVE-2025-49596 (MCP Inspector), LibreChat (CVE-2026-22252), WeKnora (CVE-2026-22688), @akoskm/create-mcp-server-stdio (CVE-2025-54994), and Cursor (CVE-2025-54136).
Anthropic, nonetheless, has declined to switch the protocol’s structure, citing the habits as “anticipated. Whereas a few of the distributors have issued patches, the shortcoming stays unaddressed in Anthropic’s MCP reference implementation, inflicting builders to inherit the code execution dangers.
The findings spotlight how AI-powered integrations can inadvertently broaden the assault floor. To counter the menace, it is suggested to dam public IP entry to delicate companies, monitor MCP device invocations, run MCP-enabled companies in a sandbox, deal with exterior MCP configuration enter as untrusted, and solely set up MCP servers from verified sources.
“What made this a provide chain occasion quite than a single CVE is that one architectural choice, made as soon as, propagated silently into each language, each downstream library, and each challenge that trusted the protocol to be what it seemed to be,” OX Safety mentioned. “Shifting accountability to implementers doesn’t switch the danger. It simply obscures who created it.”
