A dangerous design flaw has been discovered in Anthropics MCP protocol that could expose 150 million downloads and 200,000 servers to hacker attacks. Learn what this vulnerability is, which tools are affected, and how you can protect yourself.
What is MCP and Why Does It Matter?
If you use AI tools like Cloud, GitHub Copilot, or any AI assistant, you may or may not have heard of MCP but you definitely use it. MCP or Model Context Protocol, is the system that connects AI to your computer, database, files, and other tools. Simply put its the nervous system of AI. Without MCP AI is just a chatbot but with MCP it can access your real data run commands and view your files.
Anthropic released this protocol in November 2024 and has since rapidly gained popularity in the world of AI development. To date, there have been over 150 million downloads, and the protocol is active on over 200,000 servers worldwide. This is a very large and important system so when a serious flaw is found and it raises alarms throughout the AI community.
What Problem Was Found and Who Discovered It?
A cybersecurity research company called OX Security began a very in-depth investigation in November 2025. After several months of hard work they presented their findings to the world in April 2026. They gave this entire research a rather explosive name The Mother of All AI Supply Chains. The problem is that Anthropics MCP protocol uses something called the STDIO interface.
This is a basic computer mechanism that transfers data between programs. But this STDIO interface has a major flaw if an attacker sends a malicious command through it that command is executed without any prevention.
This means that any hacker can run their own code on any MCP-enabled system absolutely directly without any permission. This is not a coding mistake it is an architectural flaw which means the error is inherent in the basic design of MCP not something that came from above.
How Dangerous Is This Vulnerability?
The simple answer is very dangerous. The OX Security team demonstrated this attack not just in the lab, but on real live production platforms. They successfully ran commands on 6 active platforms platforms that real users use for actual work. When this attack occurs and the attacker can get your API keys (which are the keys to your accounts) full access to internal databases and chat history you may have shared with the AI and complete control of the server.
Furthermore OX Security uploaded a test malicious package to 11 major MCP marketplaces and surprisingly 9 out of 11 platforms accepted the package without any security checks. Only GitHubs official registry was able to stop this malicious package. This single flaw has already led to more than 10 CVEs (officially registered vulnerabilities) for different popular AI tools.
Which Popular Tools Are Affected?
This vulnerability is not limited to just one or two tools it has spread across the entire AI development world. Some of the major affected tools are LiteLLM which is used in many AI applications LangChain a very popular framework for building AI agents, IBMs LangFlow enterprise level AI automation tool Flowise open-source AI workflow builder, LettaAI LangBot and GPT Researcher are also in this list.
And not just in any one programming language, this flaw comes with MCP SDK in many languages including Python, TypeScript, Java, Kotlin, C#, Go Ruby, Swift, PHP and Rust. Meaning, if you are building an AI app using Anthropics MCP in any language you are automatically inheriting this risk and whether you know it or not.
What Did Anthropic Say About This?
This is where the real drama begins. OX Security sent these findings to Anthropic via responsible disclosure and repeatedly requested a fix at the core of the protocol. But what did Anthropic do? They simply said, This is expected behavior meaning our system is working fine theres no issue. They did not make any changes to the architecture.
They simply updated their documentation file SECURITY.md stating that STDIO adapters should use Hadith Certification. OX Security researchers simply replied This change doesn’t fix anything. The Register reported that researchers had repeatedly asked Anthropic for architectural patches but were always met with the same response Nothing works.
And another irony is that just days later Anthropic launched Cloud Mythos a tool to make the world software secure while having this serious flaw in its own protocol.
Partial Fixes Released But Core Issue Remains
Some platforms have taken action on their own and released patches. LiteLLM fixed CVE202630623, DocsGPT addressed CVE202626015 and Bisheng patched CVE202633224. These are good steps but they are only a small part of the whole issue. Some versions of LangFlow Agent Zero Fire Framework Windsurf and DocsGPT are still unpatched.
And most importantly Anthropics official MCP SDK itself is still vulnerable because the root flaw is at the protocol level. So until Anthropic applies a fix to its core SDK all the tools below will always be at risk and no matter how many patches they release. Keep it up OX Security says a single architectural change could have protected millions of downstream users and Anthropic NY missed that opportunity.
How Can You Stay Protected?
If you are a developer using MCP or an organization deploying AI tools, take some important steps now. First and most importantly, do not expose your MCP enabled services to the public internet. Keep these services within your internal network as much as possible.
Second any MCP configuration input should be kept in an untrusted environment. Any input from a user should not directly access STDIO parameters.
Third run MCP processes in a sandboxed environment, meaning a place where their access is limited and they cannot affect the rest of the system. Fourth, install MCP servers only from verified sources. GitHub’s official MCP Registry is the safest option.
Fifth install all your affected tools on LiteLLM Flowise. Install the latest patches from DocsGPT and keep an eye out for future updates. If you’re not a developer you should keep any AI tools you use updated and think carefully before sharing sensitive data with AI agents.
Impact on the AI Industry
This isn’t just a single vulnerability its a major warning signal for the entire AI industry. With the rapid pace at which AI tools and frameworks are being developed and security is often left behind. MCP is an open standard that serves as a cornerstone of AI. If this cornerstone is flawed everything built on top of it is at risk. IEEE Senior Fellow Kevin Curran commented on this, saying This is a shocking gap in AI foundational infrastructure.
Developers and security experts are actively discussing this topic on Reddit and Twitter. This case also proves that simply making AI smart doesn’t work AI infrastructure must be secure by design. Anthropic had the opportunity.
They thought they could protect millions of users by providing a fix at the protocol level but they put that responsibility on developers. Now it remains to be seen what the industry learns from this and whether there will be any real change in AI safety culture.
