Introduction
Security researchers at Ox Security reported an architectural flaw in Anthropic's Model Context Protocol (MCP, Model Context Protocol). According to the researchers, the flaw puts up to 200,000 servers and LangFlow projects at risk in total, with more than 150 million cumulative downloads [1], [2]. Anthropic refused to modify the protocol, classifying the behaviour as "expected" [1], [2].
What Is MCP?
MCP is an open-source standard for connecting AI applications to external systems, and it positions itself as a standard "USB like connector for AI applications" [3]. The protocol allows models such as Claude or ChatGPT to access local files, databases, search engines, and specialised workflows through a unified interface [3].
Anthropic introduced MCP in late 2024, presenting it as a universal, open standard for connecting AI systems to data sources [4]. The architecture contains three components:
- the host (such as Claude Desktop or Cursor IDE),
- the client (which performs a one-to-one connection with a server by means of JSON-RPC), and
- the server itself (which exposes capabilities to the client) [4].
The transport layer supports three modes: STDIO, HTTP, and server-sent events (SSE) [4].
Today the ecosystem contains dozens of official integrations with major software vendors, including Grafana, Heroku, and Elasticsearch, plus more than 200 community and demonstration servers [4]. OpenAI and Google have also joined in supporting the project [4]. That rapid growth has brought a considerably large attack surface.
Technical Fubar
The root problem lies in the STDIO transport mechanism (standard input and output). MCP uses STDIO so that an AI application can create an MCP server as a subprocess [1], [2]. The Ox researchers observed that the same mechanism executes any operating-system command that the caller provides: if the command successfully creates a STDIO server, the system returns control; otherwise, the system returns an error, but only after the command has already been executed [1].
The protocol operates across several programming languages. Every developer using Anthropic's official SDK in Python, TypeScript, Java, or Rust inherits the underlying vulnerability [1], [2]. Security has long been recognised as the main criticism of MCP, because the ease of deployment is combined with the ability of those servers to execute arbitrary code [4].
New tricks, but old dogs...
Ox documented four distinct attack vectors in its 30-page report [1], [2].
1. Command Injection, Authenticated and Unauthenticated
An attacker inserts user-controlled commands that are executed directly on the server without authentication or input sanitisation. The result is full system compromise. All versions of LangFlow, IBM's open-source framework for building AI applications, remain affected with no CVE issued [1]. GPT Researcher received identifier CVE-2025-65720, but according to the article a patch is still not available [1].
2. Command Injection with Hardening Bypass
Some projects restrict acceptable commands to a fixed list, for example python, npm, and npx, in order to block direct injection. Upsonic (CVE-2026-30625) and Flowise (GHSA-c9gw-hvqq-f33r) applied that approach. The researchers nevertheless successfully bypassed the restriction by injecting the command indirectly through the arguments of the permitted commands [1].
3. Zero-Click Prompt Injection in AI IDEs
This class affects integrated development environments and coding assistants, including Windsurf, Claude Code, Cursor, Gemini-CLI, and GitHub Copilot [1], [2]. Only Windsurf received a CVE (CVE-2026-30615). It is also the only true zero-click case, because the user's prompt directly modifies the MCP JSON configuration without any further user interaction [1]. Google, Microsoft, and Anthropic responded that the remainder do not constitute a valid security vulnerability, because a change to the configuration file requires the user's explicit permission [1].
4. Poisoning of MCP Marketplaces
By means of a proof-of-concept MCP that creates an empty file instead of malware, Ox successfully placed its submission in nine out of eleven tested marketplaces [1], [2]. Some of those platforms receive hundreds of thousands of monthly visitors. A single malicious entry could be installed by thousands of developers before detection, giving the attacker arbitrary command execution on every deployment [1].
Anthropic's Position
Ox reported that it repeatedly proposed a root-level patch at the protocol level, which would immediately protect all LangFlow projects. Anthropic refused to modify the protocol architecture, classifying the behaviour as "expected" and asserting that input sanitisation is the developer's responsibility [2]. One week after the initial report, the company quietly updated its security guidance, advising careful use of STDIO adapters. According to the researchers, that change fixed nothing of substance [1].
To date the disclosure efforts have resulted in 10 CVEs of high or critical severity and more than 30 responsible disclosure processes, which began in November 2025 [1], [2].
Summary
The 10 CVEs issued so far cover an ecosystem with more than 150 million cumulative downloads and more than 7,000 publicly accessible servers [2], [4]. Developers who integrate MCP-based tools or AI agents should review the specific projects listed above, apply available patches, and avoid installing MCP servers from unverified marketplaces. Local deployments should confine MCP servers by means of Unix access controls or an equivalent sandbox, regardless of the official SDK behaviour [4]. Because the root flaw remains in the SDK itself, mandatory input sanitisation at application level will remain the responsibility of every LangFlow consumer until Anthropic eventually revises its architectural decision.
Which, well, I wouldn't hold your breath.
References
[1] J. Lyons, "Anthropic won't own MCP 'design flaw' putting 200K servers at risk, researchers say," The Register, 16 Apr. 2026. [Online]. Available: https://www.theregister.com/2026/04/16/anthropic_mcp_design_flaw/
[2] Ox Security, "The Mother of All AI Supply Chains," Ox Security Research Blog, Apr. 2026. [Online]. Available: https://20204725.hs-sites.com/the-mother-of-all-ai-supply-chains?submissionGuid=f8ec6719-530c-4b0a-ab2d-1558df0812fa
[3] Model Context Protocol, "What is the Model Context Protocol (MCP)?," Model Context Protocol Documentation, 2025. [Online]. Available: https://modelcontextprotocol.io/docs/getting-started/intro
[4] T. Mann, "Everything you need to get up and running with MCP, Anthropic's USB-C for AI," The Register, 21 Apr. 2025. [Online]. Available: https://www.theregister.com/2025/04/21/mcp_guide/