- Ox Security found a design flaw in Anthropic’s Model Context Protocol that exposes 200,000 servers to full system takeover.
- Anthropic told researchers the protocol is working as intended—even after 10 high- and critical-severity CVEs were issued for downstream tools.
- The vulnerability chain affects software packages with over 150 million combined downloads and every major AI coding assistant on the market.
A protocol that connects AI agents to the outside world has a hole in it—and the company that built it doesn’t want to fix it. Security researchers at Ox Security say they discovered a design flaw in Anthropic’s Model Context Protocol (MCP) that allows attackers to execute arbitrary commands on servers running MCP adapters, reported The Register. The flaw affects an estimated 200,000 servers.
MCP, which Anthropic introduced in November 2024, has become the de facto standard for connecting AI agents to external data and tools. It works across programming languages—Python, TypeScript, Java, Kotlin—meaning any developer using Anthropic’s official SDK is potentially exposed. The protocol’s STDIO transport mechanism spawns an MCP server as a subprocess, but in practice it lets anyone run any arbitrary operating system command.
Anthropic’s response, according to Ox researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar, was that the behavior is “expected.” The team says they “repeatedly” asked Anthropic to patch the root issue across more than 30 responsible disclosure processes that began in November 2025. “This change didn’t fix anything,” the researchers wrote after Anthropic quietly updated its security policy a week after the initial report. Anthropic did not respond to The Register’s inquiries.
Four Ways to Break MCP—and One Fix Anthropic Refused to Make
The Ox team identified four distinct vulnerability classes, each exploiting the STDIO mechanism differently. The first—and most dangerous—is unauthenticated command injection. An attacker enters user-controlled commands that run directly on the server without authentication or sanitization. Any AI framework with a publicly facing UI is vulnerable. Affected projects include all versions of LangFlow, IBM’s open-source low-code AI framework, and GPT Researcher, an open-source AI research agent (CVE-2025-65720).
The second class bypasses hardening measures that were supposed to prevent exactly this. Upsonic (CVE-2026-30625) and Flowise both implemented allowlists—only “python,” “npm,” and “npx” commands should run. Ox researchers bypassed them by injecting commands through allowed arguments: npx -c <command>. It’s the security equivalent of locking the front door while leaving the windows open.
The third vulnerability class is zero-click prompt injection across AI coding assistants. Windsurf is the only IDE with a confirmed CVE (CVE-2026-30615)—the user’s prompt directly influences the MCP JSON configuration with no interaction required. Claude Code, Cursor, Gemini-CLI, and GitHub Copilot are also affected, but Google, Microsoft, and Anthropic all said it was a “known issue” or “not a valid security vulnerability” because it requires explicit user permission to modify the file. The fourth class targets MCP marketplaces directly—Ox successfully poisoned 9 out of 11 of them.
Ox argues one architectural change at the protocol level would have protected every downstream project. “One architectural change at the protocol level would have protected every downstream project, every developer, and every end user who relied on MCP today,” the researchers wrote. “That’s what it means to own the stack.”
What This Means for the Agentic AI Ecosystem
The timing is awkward. Just last week, Anthropic announced it was donating MCP to a new Agentic AI Foundation—an industry consortium meant to govern the protocol’s future. The adoption wave has been massive: Amazon recently bet its advertising business on MCP, and the protocol underpins an ecosystem of tools used by millions of developers. A systemic vulnerability at the protocol level doesn’t just affect one company—it affects the entire trust model of agentic AI.
The Mythos situation makes this worse, not better. Anthropic withheld its most capable model over cybersecurity concerns—then declined to fix a protocol vulnerability that gives attackers the same kind of system access the company said it was afraid of. The irony isn’t lost on the security community.
SecurityWeek described the flaw as enabling “silent command execution and full system compromise.” For a protocol that’s supposed to be the connective tissue between AI agents and enterprise systems, that’s not a reassuring headline. The question now is whether the Agentic AI Foundation will inherit the vulnerability along with the protocol—or whether Anthropic will finally own the stack it built.
Ox Security published a 30-page research paper detailing the findings alongside their blog post. Ten CVEs have been issued so far, with more expected as additional MCP-dependent projects complete their security reviews.
