Anthropic’s Model Context Protocol (MCP) has a systemic vulnerability that could allow hackers to take control of servers and breach companies’ security, according to OX Security.
Researchers at OX Security claim the flaw permits “arbitrary command execution of any server running a vulnerable MCP implementation”.
This gives attackers direct access to:
- user data
- Databases
- API keys
- Chat histories
and “much more”.
MCP is a popular AI agent communication standard developed and maintained by Anthropic and used by potentially millions of agents and hundreds-of-thousands of servers.
In the words of researchers Moshe Ben Siman Tov, Nir Zadok, Mustafa Naamnih, and Roni Bar: “The blast radius is massive. This exploit allowed us to directly execute commands on six official services of real companies with real paying customers.”
They added that during their research they conducted “over 30 responsible disclosure processes, produced 10 CVEs rated Critical and High, and helped patch numerous projects”.
“Not a one-off coding mistake”
In the report The mother of all AI supply chains, OX Security researchers said the MCP flaw isn’t a “one-off coding mistake” but is more fundamental.
They explained that, while reviewing potential AI and LLM-related attack vectors, they found a vulnerability in a GPT Researcher feature that allowed developers to configure a custom STDIO MCP server, where the command and arguments are supplied by the user.
“Testing revealed that any OS command passed through this interface would execute on the server — even when the face MCP server failed to start,” the OX Security researchers said. “The error was returned to the user; the command ran anyway.”
This meant that running an arbitrary command gave complete control of the server.
“To be clear: this should never happen,” they said..
GPT Researcher uses AI agent engineering platform LangChain’s langchain-mcp-adapters and the OX Security researchers assumed that was where the vulnerability lay. However, further investigation found the root of the issue lay in Anthropic’s original MCP implementation code, modelcontextprotocol.
When OX Security contacted LangChain and Anthropic about the issue, both organizations said this was “expected behavior”.
In a statement to OX Security, Anthropic said: “We do not consider this a valid security vulnerability as it requires explicit user permission for the file change where the user is given the opportunity to approve or deny the change.”
Anthropic has since released an updated security policy, however, stating that MCP adapters and STDIO ones in particular should be used with caution and emphasized that responsibility for securing code lies with the developers, not with Anthropic.
OX Security argued this represents a supply chain risk that is difficult to resolve.
“Developers are not security engineers,” the OX Security researchers said, “we cannot expect tens of thousands of implementers to independently discover and mitigate a flaw that’s baked into the official SDKs they trust. By shifting the blame rather than hardening the protocol, the industry leaves user data and organizational infrastructure exposed”
They added: “This architectural failure highlights an even broader, systemic trend. As AI-assisted code generation accelerates, individuals with limited technical expertise are deploying an unprecedented volume of projects. However, generating more code without foundational security knowledge exponentially widens the gap in organizational defenses.”
Jake Moore, global cybersecurity advisor at ESET, echoed these sentiments, telling ITPro: “This is potentially the start of what is to come with AI enabled cybercrime. Supply chain attacks are still rife but when we are adding in extremely new technology that hasn't and can't really ever be fully tested, we are putting ourselves in dangerous waters where disastrous attacks can and will occur.”
He added: "This isn't just a bug that we are used to seeing, this is what happens when an AI standard is built for capability before control and we are likely to see this more and more over the next few years. If it works, it doesn't mean it's safe but refusing to patch it suggests this isn't easily fixable without breaking functionality (which is the bigger concern).”
ITPro has approached Anthropic for comment.
Brace yourselves for a vulnerability explosion, Forescout warns
Security leaders overconfident about ransomware recovery
AI is raising the stakes for cyber professionals – Claude Mythos just took things to another level
‘There was a manual deploy step that should have been better automated’: Claude Code creator confirms cause of massive source code leak
Anthropic admits hackers have 'weaponized' its tools – and cyber experts warn it's a terrifying glimpse into 'how quickly AI is changing the threat landscape'
