The Mother of All AI Supply Chains: Critical, Systemic Vulnerability at the Core of Anthropic’s MCP - OX Security
www.ox.security
Anthropic design choice Exposes 150M+ Downloads and up to 200K Servers to complete takeover The OX Security Research team has uncovered a critical, systemic vulnerability at the core of the Model Context Protocol (MCP) — the industry standard for AI agent communication created and maintained by Anthropic.  This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable…

This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to sensitive user data, internal databases, API keys, and chat histories…

We repeatedly recommended root patches to Anthropic - that would have instantly protected millions of downstream users; however, they declined to modify the protocol’s architecture, citing the behavior as “expected.” We subsequently notified Anthropic of our intent to publish these findings, to which they raised no objection.

Through over 30 responsible disclosures and 10+ High/Critical CVEs, OX Security has worked to patch individual projects. However, the root cause remains unaddressed at the protocol level.

Source [2026-04-15; web-archive]

-–

But in practice it actually lets anyone run any arbitrary OS command, if the command successfully creates an STDIO server it will return the handle, but when given a different command, it returns an error after the command is executed.

This logic opens a wide range of attack surfaces, when combined with user input; as it can allow direct arbitrary command execution with no input sanitization, and no red flags to the developer during implementation.

Our examples show the basic case study using Python, but it reflects the same inherent vulnerability from all other programming languages (TypeScript, Java, Golang, etc…)

We found 6 official platforms with actual users vulnerable to arbitrary command execution via MCP configurations…
# Case Studies: Real-World Exploitation

- Windsurf is an AI-powered IDE designed for developers. While it runs locally, its MCP configuration file (mcp.json) is writable by the AI agent - making it susceptible to prompt injection attacks that add malicious STDIO MCP entries.

Attack chain:

  1. Victim visits an attacker-controlled website and copies a prompt that appears legitimate;
  2. The site serves different content to Windsurf’s internal requests - injecting a malicious instruction;
  3. Windsurf receives the malicious prompt and proposes edits to mcp.json - without showing the user what will change – and modifies the file.;
  4. With no further user interaction; a new STDIO MCP entry is added and immediately executes its command on the victim’s machine.;

Source [2026-04-15; web-archive]

  • PattyMcB@lemmy.world
    82·
    2 days ago

    RCE = Remote Command Execution, not “Arbitrary”

    This article looks like AI slop

    • Liketearsinrain@lemmy.ml
      5·
      1 day ago

      Both are used more or less interchangeably. It’s arguably a very human error.

      Anyway, very surprising this happened after this attack vector became included by default in every popular IDE.

      • fartsparkles@lemmy.world
        4·
        1 day ago

        Long-term blue teamer here. I don’t entirely disagree with you but there’s a little bit of minor nuance. In a general sense, many do use them interchangeably.

        RCE is remote code execution. Some amount of code can be executed remotely.

        ACE is arbitrary code execution. Unrestrained code can be executed.

        That’s why many critical CVEs often have the verbiage “arbitrary remote code execution” to denote not only can code be executed remotely, but practically any valid code can be executed remotely.

  • kingofras@lemmy.world
    2·
    1 day ago

    What’s more cringe? The lack of understanding of how MCP works or that the attack article was almost certainly written by the very agent they are trying to discredit.

    Not saying Anthopic is flawless or MCP shouldn’t been scrutinised, but you’ll never do it with this type of article.