Anthropic developed the Model Context Protocol (MCP) as a standard for communication between AI agents and tools. OpenAI adopted this standard in March 2025, followed by Google DeepMind. In December 2025, Anthropic donated MCP to the Linux Foundation. With over 150 million downloads, MCP faced a significant challenge when four researchers from OX Security discovered a critical architectural flaw affecting all implementations.
The MCPâs STDIO transport, which is the default for linking AI agents to local tools, executes any operating system command it receives without sanitization or an execution boundary. A malicious command can return an error post-execution, and the development toolchain does not flag this.
Researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar from OX Security investigated the ecosystem and identified 7,000 servers with active STDIO transport on public IPs, estimating a total of 200,000 potentially vulnerable instances. They confirmed the execution of arbitrary commands on six active production platforms. This research led to more than ten high or critical CVEs across platforms like LiteLLM, LangFlow, Flowise, Windsurf, Langchain-Chatchat, Bisheng, DocsGPT, GPT Researcher, Agent Zero, LettaAI, and others.
Kevin Curran, an IEEE senior member and cybersecurity professor at Ulster University, told Infosecurity Magazine that the research highlighted âa shocking gap in the security of foundational AI infrastructure.â
Anthropic acknowledged the behavior as intentional and opted not to alter the protocol, describing STDIOâs execution model as secure by default, with input sanitization as the developerâs duty. This characterization was attributed to OX, as Anthropicâs only public statement was that the behavior was âexpected.â Anthropic has not made a separate public announcement and did not respond to VentureBeatâs request for comment.
OX argues that relying on 200,000 developers to sanitize inputs is problematic. Anthropic counters that sanitizing STDIO would either disrupt the transport or shift the payload to another layer. Both arguments have merit, leaving the question of how to proceed unresolved.
While major outlets covered the disclosure, none provided the in-depth product-by-product audit necessary for a security director to assess MCP deployments. This article aims to fill that gap.
Five key questions assess if your MCP deployments are exposed, if patches are effective, and what actions to take starting Monday.
Am I exposed?
If your teams deployed any AI agent using MCP with the default STDIO transport, you are exposed. This is not a coding flaw in a particular product, but a design default in Anthropicâs MCP specification, which has been integrated into every official SDK: Python, TypeScript, Java, and Rust. Any downstream project relying on the protocol is affected.
OX identified four exploitation categories: unauthenticated command injection via AI framework web interfaces (seen in LangFlow and LiteLLM), bypasses in tools with command allowlists (seen in Flowise and Upsonic), zero-click prompt injection in AI coding IDEs (notably in Windsurf, CVE-2026-30615), and malicious package distribution through MCP registries.
Carter Rees, VP of AI and Machine Learning at Reputation and a member of the Utah AI Commission, told VentureBeat that the approach needs a shift. âMCP stdio is a privileged execution surface, not a connector. Enterprise teams should treat it like production shell access. Deny by default, allowlist, sandbox, and stop assuming downstream input validation will hold at scale,â Rees said.
The IDE vulnerabilities are particularly concerning because they target developer workstations. An attacker-controlled website can modify the local MCP configuration file without user approval in Windsurf. Cursor, Claude Code, and Gemini-CLI require user interaction, but the UI may not make the execution consequences clear.
Did my vendor patch?
Some vendors have patched, some partially, and others have not confirmed. The table below outlines each affected product, the exploitation type, patch status, and remaining gaps. Notably, the âProtocol fix?â column remains âNOâ for all.
|
Product |
Exploit type |
Patched? |
Protocol fix? |
The gap |
Action |
|
LiteLLM |
Command injection via adapter UI |
YES |
NO |
LiteLLM is fixed. New STDIO configs outside LiteLLM inherit the same insecure default. |
Pin to v1.83.7-stable or later (CVE-2026-30623). Verify against GitHub advisory. Audit all other STDIO definitions. |
|
LangFlow |
RCE via public auto_login + STDIO |
Partial |
NO |
Auth token freely available via public endpoint. STDIO executes whatever follows. |
Block public auto_login. Sandbox all MCP services from the host OS. |
|
Flowise / Upsonic |
Allowlist bypass (npx -c argument injection) |
Hardened, bypass confirmed |
NO |
Allowlist gives false confidence. OX bypassed it. Trivial. |
Do not rely on command allowlists. Enforce process-level sandbox isolation. |
|
Windsurf (CVE-2026-30615) |
Zero-click prompt injection to local RCE |
REPORTED, unconfirmed |
NO |
Only an IDE with a true zero-interaction exploit. Hits developer workstations, not servers. |
Disable automatic MCP server registration. Review all active configs manually. |
|
Cursor / Claude Code / Gemini-CLI |
Prompt injection to local MCP config modification |
Cursor patched (CVE-2025-54136); others vary |
NO |
User interaction required, but config-change UI does not surface execution consequence. Approval does not equal informed consent. |
Audit MCP config files (~/.cursor/mcp.json, equivalent paths). Disable auto-registration. Review all pending config changes before approval. |
|
Langchain-Chatchat (CVE-2026-30617) |
RCE via MCP STDIO transport |
REPORTED, unconfirmed |
NO |
Downstream chatbot framework inherits the same STDIO default. Patch status unconfirmed. |
Inventory all Langchain-Chatchat deployments. Sandbox from host OS. Monitor vendor advisory for patch. |
|
MCP registries (9 of 11) |
Accepted malicious PoC without review |
N/A |
NO |
Registries lack submission security review. Install and risk a backdoor. |
Use registries with documented submission review. Audit installs against known-good hashes. |
Does the flaw survive the patch?
Yes. Each product-level patch addresses specific entry points but does not alter the MCP protocolâs STDIO behavior. A security director who patches LiteLLM today and configures a new MCP STDIO server tomorrow will face the same insecure default. While necessary, these patches are insufficient.
This was expected. When VentureBeat reported on MCPâs security issues in January, Merritt Baer, chief security officer at Enkrypt AI, noted: âMCP is shipping with the same mistake weâve seen in every major protocol rollout: insecure defaults. If we donât build authentication and least privilege in from day one, weâll be cleaning up breaches for the next decade.â The Cloud Security Alliance confirmed OXâs findings, recommending that organizations consider MCP-connected infrastructure as an active threat. The defaults remain unchanged, expanding the attack surface.
Rees argued that Anthropicâs stance, while internally consistent, does not align with enterprise realities. âIt stops being a developer mistake and starts being a distributed failure mode when the same class of failure reproduces across that many independent implementations,â Rees told VentureBeat. âGuidance is not an architectural control. Relying on thousands of downstream implementers to consistently interpret a trust boundary is a known anti-pattern in enterprise security.â
Anthropic updated its SECURITY.md file nine days after OXâs initial contact in January 2026, advising caution with STDIO adapters, but made no structural changes. Researchers assessed that this update did not resolve the issue.
Rees offered a balanced view, acknowledging Anthropicâs update to their security guidance as a step forward, though not a comprehensive fix.
What changed at the protocol level?
Nothing at an architectural level. Anthropic has not implemented manifest-only execution, a command allowlist in the official SDKs, or other protocol-level mitigations recommended by OX. The only change was the SECURITY.md guidance update. OXâs research, starting in November 2025, involved over 30 responsible disclosure processes across the ecosystem before publication on April 15.
The disagreement is substantial. Anthropicâs architectural rationale merits consideration. STDIO is intended as a local subprocess transport to run processes on the configuring machine. In Anthropicâs perspective, trust lies with the configuration fileâs controller. Thus, perceived command injection is an intended feature. Restricting STDIO at the protocol level could disrupt its function or shift the attack surface to the launched process. The argument for an unopinionated standard is also valid: a universal protocol with built-in execution constraints loses its universality. OX counters that shifting responsibility to implementers does not mitigate risk but obscures its origin.
Do not await a protocol-level fix. Treat every MCP STDIO configuration as an untrusted input surface, regardless of the product it is integrated into.
Monday morning remediation sequence
Enumerate. Identify every MCP server deployment across development, staging, and production environments. Look for MCP configuration files (mcp.json, mcp_config.json) in developer directories and IDE config paths like ~/.cursor/, ~/.codeium/windsurf/, ~/.config/claude-code/. List processes matching MCP server binaries and flag those using STDIO transport with public IP access. OX found 7,000 on public IPs, suggesting unknown instances in your environment.
Patch. Secure all affected products to their patched versions. LiteLLM v1.83.7-stable offers a fix for CVE-2026-30623. DocsGPT, Flowise, and Bisheng have released fixes, while Windsurf and Langchain-Chatchat remain in reported states as of May 1, 2026. Cursor was patched for an earlier related issue (CVE-2025-54136) but retains the original protocol default. Verify each vendorâs advisory on the day of action.
Sandbox. Isolate all MCP-enabled services from the host OS. Avoid granting servers full disk access or shell execution privileges. The Flowise/Upsonic allowlist bypass demonstrates the inadequacy of restricting commands alone.
Audit registries. Review every MCP server sourced from third-party registries. Nine of 11 registries accepted OXâs proof-of-concept without a security check. Use registries with a documented review process. Remove any MCP server of uncertain origin.
Treat STDIO config as untrusted. This approach remains essential beyond future patches and products. The default has not changed. Every STDIO server definition is a command execution surface. Treat it like user input to a database query: assume hostility until validated.
Your exposure cannot wait for a protocol fix
Anthropic and OX Security dispute who should ensure MCPâs STDIO transport security. This debate wonât resolve soon. However, you can determine if your MCP deployments are inventoried, patched, sandboxed, and handled as the untrusted execution surfaces they are.
As Rees stated: âThe core question here is architectural policy, not exploit payloads.â Baer warned earlier this year that insecure defaults would lead to this situation. OX identified 200,000 servers with a configuration field doubling as an execution surface. The protocolâs designer insists it functions as intended. Your immediate concern is not who is correct but which of your servers are vulnerable.

