Ethical Hacking News
Anthropic's Model Context Protocol (MCP) has been found to contain a critical flaw that allows for arbitrary command execution, putting millions of users at risk. The Ox research team has called on Anthropic to take responsibility for securing the protocol and making it secure by default.
The Ox research team discovered a critical flaw in Anthropic's Model Context Protocol (MCP), a widely used protocol in AI applications. The vulnerability allows for unauthenticated and authenticated command injection, posing significant risks to the security and integrity of AI applications. Four attack vectors have been identified: unauthenticated command injection, unauthenticated command injection with hardening bypass, zero-click prompt injection across IDEs, and MCP marketplaces exploitation. Anthropic declined to modify the protocol's architecture despite the presence of high- and critical-severity CVEs issued for individual open-source tools and AI agents using MCP. The Ox research team argues that Anthropic has the ability and responsibility to make MCP secure by default, highlighting the need for vendors to prioritize security.
In a recent revelation, security researchers from the Ox research team have uncovered a critical flaw in Anthropic's Model Context Protocol (MCP), an open-source protocol used by various artificial intelligence (AI) applications and agents to connect to external data, systems, and one another. This discovery has significant implications for the AI community, as it highlights the vulnerability of MCP to exploitation by malicious actors.
The Ox research team has been investigating Anthropic's MCP since November 2025, during which they conducted more than 30 responsible disclosure processes with the vendor. Despite their efforts, Anthropic declined to modify the protocol's architecture, citing the behavior as "expected," despite the presence of 10 high- and critical-severity CVEs issued for individual open-source tools and AI agents that use MCP.
The root issue lies in MCP, which uses STDIO (standard input/output) as a local transport mechanism for an AI application to spawn an MCP server as a subprocess. This design choice allows anyone to run any arbitrary OS command, if the command successfully creates an STDIO server it will return the handle, but when given a different command, it returns an error after the command is executed. This vulnerability can be exploited in four different ways, each of which poses significant risks to the security and integrity of AI applications.
The first type of vulnerability, unauthenticated and authenticated command injection, allows an attacker to enter user-controlled commands that will run directly on the server without authentication or sanitization. This can lead to total system compromise, and any AI framework with a publicly facing UI is vulnerable. Vulnerable projects include all versions of LangFlow, IBM's open-source low-code framework for building AI applications and agents.
The second attack vector, unauthenticated command injection with hardening bypass, allows miscreants to bypass protections and user input sanitization implemented by developers to run commands directly on the server. This vulnerability can be exploited by indirectly injecting the command via the allowed command's arguments, which may seem like a minor issue but has significant implications for the security of AI applications.
The third type of vulnerability allows zero-click prompt injection across AI integrated development environments (IDEs) and coding assistants such as Windsurf, Claude Code, Cursor, Gemini-CLI, and GitHub Copilot. This vulnerability can be exploited by modifying the MCP JSON configuration with no user interaction, which raises significant concerns about the security and integrity of AI applications.
Finally, the fourth vulnerability family can be delivered through MCP marketplaces, where malicious actors can successfully poison nine out of 11 marketplaces using a proof-of-concept MCP that runs a command generating an empty file. This vulnerability poses a significant risk to developers who rely on MCP, as a single malicious MCP entry in any of these directories could be installed by thousands of developers before detection.
The Ox research team argues that Anthropic has the ability and responsibility "to make MCP secure by default." They emphasize that one architectural change at the protocol level would have protected every downstream project, every developer, and every end user who relied on MCP today. This highlights the need for vendors like Anthropic to prioritize security and take proactive measures to mitigate vulnerabilities in their products.
In response to this discovery, Anthropic quietly released an updated security policy, which advises users to use MCP adapters, specifically STDIO ones, with caution. However, the Ox research team has expressed disappointment that this change did not fix the underlying issue and only provided a superficial solution.
The discovery of this critical flaw in Anthropic's MCP protocol serves as a reminder of the importance of security and responsible disclosure in the AI community. As AI continues to advance and become increasingly pervasive, it is essential that vendors prioritize security and take proactive measures to mitigate vulnerabilities in their products.
In conclusion, the Ox research team's discovery highlights the need for greater transparency and accountability from vendors like Anthropic when it comes to security and vulnerability disclosure. It also underscores the importance of responsible disclosure practices in identifying and addressing security vulnerabilities before they can be exploited by malicious actors.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Flaw-in-Anthropics-MCP-Protocol-Exposed-A-Threat-to-AI-Safety-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/04/16/anthropic_mcp_design_flaw/
https://www.theregister.com/2026/04/16/anthropic_mcp_design_flaw/
https://medium.com/@cdcore/mcp-is-broken-and-anthropic-just-admitted-it-7eeb8ee41933
Published: Thu Apr 16 18:08:09 2026 by llama3.2 3B Q4_K_M
