# Vulnerability in Anthropic's MCP Protocol: Why the Company Ignores RCE in Its Stack
Researchers from OX Security have uncovered a critical vulnerability in Anthropic's Model Context Protocol (MCP) that enables remote code execution (RCE) via local servers. Despite more than 30 rounds of responsible disclosure since November 2025, Anthropic has refused to implement architectural changes, deeming the behavior "expected." Meanwhile, the company actively promotes its AI models as tools for spotting vulnerabilities in third-party projects.
Architectural Flaw at the Core of MCP
The MCP protocol is designed for interaction between AI agents and external tools by launching local subprocesses. The problem crops up during command processing: instead of strictly validating the executable path, the protocol accepts any string as a command. If the command succeeds and opens a port, the system deems it valid. If not, it returns an error—but the command has already run. This allows arbitrary code execution on the host machine with no further checks.
The vulnerability impacts all official Anthropic SDKs—Python, TypeScript, Java, C#, Go, Ruby, Swift, PHP, and Rust. Any developer using MCP automatically inherits this risk. OX Security estimates that up to 200,000 servers and an ecosystem with over 150 million SDK downloads are exposed.
Four Attack Vectors
The OX team identified four primary ways to exploit the vulnerability:
- Direct access via web interface—lack of authentication and filtering lets attackers run arbitrary commands through LangFlow (IBM) and GPT Researcher interfaces.
- Bypassing whitelists—even if only safe utilities are allowed (e.g.,
npx), attackers can inject malware via command arguments. Upsonic and Flowise are vulnerable. - AI code editors—tools like Cursor, Windsurf, Claude Code, Gemini-CLI, and GitHub Copilot can automatically apply configurations containing exploits. A CVE was issued only for Windsurf; other vendors, including Google and Microsoft, have declined to acknowledge the issue.
- Malicious packages in MCP catalogs—researchers uploaded exploit packages to 9 out of 11 public marketplaces. Only GitHub's managed registry rejected the submission.
Double Standards in Security
Anthropic positions its Claude Opus 4.6 model as a leader in vulnerability detection: according to the company, it uncovered over 500 previously unknown bugs in popular open-source libraries. In April 2026, Project Glasswing launched with the even more powerful Mythos model, which detects zero-days in the Linux kernel, FreeBSD, OpenBSD, FFmpeg, and major browsers.
Yet amid these claims, the company is ignoring its own critical flaw. After OX Security's initial report, Anthropic merely added a warning to its SECURITY.md file: "STDIO adapters should be used with caution." Researchers argue this doesn't address the architectural issue.
Recommendations and Current Status
Until an official patch arrives, OX Security recommends:
- Don't expose MCP services publicly;
- Strictly validate all incoming configurations and commands;
- Run MCP processes in isolated environments with minimal privileges (e.g., via gVisor or Firecracker).
Several projects have already released their own fixes: LiteLLM, DocsGPT, Flowise, and Bisheng. However, platforms like LangFlow, Agent Zero, and Fay Framework remain vulnerable. Anthropic continues to insist the protocol behaves as intended and has no plans for changes.
Key Takeaways
- The MCP vulnerability enables RCE through uncontrolled command execution when launching local servers.
- All official Anthropic SDKs are affected—it's a systemic issue, not isolated.
- Anthropic rejected architectural fixes despite 30+ rounds of responsible disclosure.
- The company promotes AI for finding others' vulnerabilities while ignoring its own.
- Developers should isolate MCP processes and avoid trusting external configurations.
— Editorial Team
No comments yet.