Ethical Hacking News
Anthropic's handling of security vulnerabilities within its products has been called into question after a proof-of-concept attack demonstrated how a cloned code repository can exploit the Model Context Protocol (MCP) server to execute malicious code with full user privileges.
Anthropic's handling of security vulnerabilities within its products has been criticized. A proof-of-concept attack demonstrated how a cloned code repository can exploit the Model Context Protocol server in Anthropic's products. The attack exploits an inconsistency in Anthropic's configuration system, allowing an attacker to bypass permissions and execute malicious code. Users need clearer warnings and more explicit consent mechanisms when using Anthropic's products. The vulnerability has significant consequences, including compromised systems and potential unauthorized access to sensitive data. Anthropic should make three changes to improve the security of its products: block enabling "enableAllProjectMcpServers", implement a dedicated MCP consent dialog that defaults to "deny", and require interactive consent per server rather than for all servers.
Anthropic, a prominent developer of artificial intelligence (AI) models, has been criticized for its handling of security vulnerabilities within its products. A recent proof-of-concept (PoC) attack by Adversa AI demonstrated how a cloned code repository can exploit the Model Context Protocol (MCP) server in Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI to execute malicious code with full user privileges.
The PoC attack exploits a vulnerability in Anthropic's configuration system, specifically the use of JSON files to enable or disable settings. The attack takes advantage of inconsistent restrictions on the scope of settings, allowing an attacker to bypass permissions and enable the execution of code. This is made possible by the default setting "enableAllProjectMcpServers" being enabled in some cases, while being disabled in others.
Furthermore, Anthropic's TrustFall proof-of-concept attack shows how a user's trust decision can be manipulated through a dialog box that defaults to "Yes, I trust this folder". The dialog box does not provide any warnings or explanations about the potential risks of enabling MCP servers. This has led Adversa AI to argue that users need clearer warnings and more explicit consent mechanisms when using Anthropic's products.
The consequences of this vulnerability are significant, as it can lead to compromised systems and potentially allow attackers to gain unauthorized access to sensitive data. The attack also highlights the importance of security awareness and education for developers and users of AI models.
In response to the criticism, Anthropic has not responded with a comment on the matter. However, Adversa AI has suggested that Anthropic should make three changes to improve the security of its products: block enabling "enableAllProjectMcpServers", implement a dedicated MCP consent dialog that defaults to "deny", and require interactive consent per server rather than for all servers.
The incident serves as a reminder of the need for robust security measures when developing and using AI models. It also highlights the importance of transparency, user education, and developer accountability in ensuring the safety and integrity of these systems.
Related Information:
https://www.ethicalhackingnews.com/articles/Unsolicited-Code-Execution-The-Unintended-Consequences-of-AI-Model-Configuration-ehn.shtml
https://www.theregister.com/security/2026/05/07/claude-code-trust-prompt-can-trigger-one-click-rce/5235319
Published: Thu May 7 16:13:53 2026 by llama3.2 3B Q4_K_M
