Anthropic MCP Protocol’s Design-Level Flaw Threatens Over 200K Servers – AI Supply‑Chain Alarm

1. Vulnerability Overview: STDIO Design Flaw

The Model Context Protocol (MCP) released by Anthropic in November 2024 uses STDIO as its local transport mechanism. OX Security discovered that when the command parameter contains any OS command, the command is executed regardless of whether the MCP server process starts successfully, creating a "execute‑then‑verify" pattern.

"MCP's STDIO interface was designed to launch a local server process. But the command is executed regardless of whether the process starts successfully. Pass in a malicious command, receive an error – and the command still runs."

This allows attackers to inject malicious commands during the process‑startup phase and exploit the time window between command execution and error return.

2. Four Attack Vectors

2.1 Unauthorized Command Injection

Affected projects: LangFlow (IBM open‑source low‑code AI framework), GPT Researcher

Associated CVE: CVE‑2025‑65720 (GPT Researcher)

Risk: Full server control, access to sensitive user data, internal databases, API keys, and chat logs

2.2 Hardened Bypass Attack (Whitelist Breakthrough)

Some MCP implementations whitelist commands such as python, npm, and npx. The command parameter is still executed, and attackers can abuse the arguments of these "safe" commands to bypass restrictions.

Bypass example: npx -c <malicious_command> Affected projects: Upsonic (CVE‑2026‑30625), Flowise (GHSA‑c9gw‑hvqq‑f33r)

2.3 Zero‑Click Prompt Injection

In AI IDEs and coding assistants, user prompts directly influence MCP configuration. An attacker can craft a prompt that silently modifies the local MCP config file; when the server loads the config, the malicious command runs without any user interaction.

Affected projects: Windsurf (CVE‑2026‑30615, confirmed zero‑click RCE), Cursor (CVE‑2025‑54135 / CVE‑2025‑54136)

This vector shows a fundamental mismatch with traditional web security, which assumes a clear boundary between user input and developer code; MCP’s LLM agents can read attacker‑controlled content and alter local configuration, bypassing developer‑written validation.

2.4 MCP Marketplace Poisoning

Follow‑up research on 18 April 2026 submitted malicious proof‑of‑concept MCP servers to 11 marketplaces, of which nine accepted them. mcp-database-server (CVSS 8.8): MySQL adapter hard‑coded with multipleStatements: true, allowing SELECT 1; DROP TABLE users; -- to bypass checks. mcp-ssh: LLM can point to any hostname, exposing three distinct RCE/data‑exfiltration paths.

ClickHouse official MCP server: uses DROP/**/TABLE to evade security checks.

3. Impact Scope: Over 30 Disclosures, 10+ High‑Severity CVEs

CVE‑2025‑65720 – GPT Researcher – Reported

CVE‑2026‑30623 – LiteLLM – Fixed

CVE‑2026‑30624 – Agent Zero – Reported

CVE‑2026‑30618 – Fay Framework – Reported

CVE‑2026‑33224 – Bisheng – Fixed

CVE‑2026‑30617 – Langchain‑Chatchat – Reported

CVE‑2026‑30625 – Upsonic – Reported

CVE‑2026‑30615 – Windsurf – Reported

CVE‑2026‑26015 – DocsGPT – Fixed

CVE‑2025‑54136 – Cursor – Reported

4. Potential Consequences

Successful exploitation can lead to:

Sensitive data leakage (API keys, environment variables, SSH keys)

Full conversation history exposure (RAG retrieval context and user dialogues)

Lateral movement from personal devices to corporate networks

Supply‑chain backdoors persisted via "trusted" MCP configurations

5. Anthropic’s Response

Anthropic argues that STDIO execution is an intentional design choice and that client developers must validate the contents of the command field, likening it to the responsibility model of databases and libraries.

OX Security counters that MCP’s integration with LLM agents breaks the core assumption of traditional web security: the "user" identity is ambiguous, and zero‑interaction scenarios prevent developers from ever executing input‑validation logic.

"User" identity is unclear – attackers act through LLM agents that modify local config without developer awareness.

Zero‑interaction blind spots – in whitelist‑bypass and zero‑click injection, no human is present to trigger validation.

Responsibility shift – Anthropic only updates guidance to "use MCP adapters cautiously" while leaving the vulnerability unchanged.

6. Mitigation Recommendations

Immediate Actions

Upgrade SDKs (python‑mcp‑sdk, node‑mcp‑sdk) to the latest hardened versions.

Disable public exposure of large language models and related AI tools.

Enforce strict regex validation and shell‑escaping for command and args fields.

Run MCP servers in sandboxed environments (Docker containers or restricted WASM).

Apply the principle of least privilege to MCP server processes.

Long‑Term Protocol Fixes

Deprecate unclean STDIO connections in favor of security‑first designs.

Add command isolation mechanisms at the MCP specification level.

Introduce an explicit "dangerous mode" that requires confirmed user consent for high‑privilege configurations.

Establish a standardized MCP marketplace security checklist and verification process.

7. Conclusion

The STDIO design flaw in MCP represents a structural challenge to traditional security models in the AI era. When a protocol permits arbitrary command execution without isolation, even diligent developers cannot fully mitigate systemic risk. As OX Security warns, without protocol‑level remediation, AI infrastructure faces a "Mother of All AI Supply‑Chain"‑level disaster.