A substantial vulnerability within Anthropic’s Model Context Protocol (MCP) has come to light, threatening over 150 million downloads and potentially compromising about 200,000 servers. This alarming revelation was detailed in research released on April 15, 2026, by the OX Security Research team.
The vulnerability allows for Arbitrary Remote Code Execution (RCE) on any system utilizing a compromised MCP implementation. This grants attackers unfettered access to sensitive user information, including internal databases, API keys, and chat histories. Unlike conventional software flaws, which typically arise from coding mistakes, this issue is rooted in an architectural design decision embedded directly within Anthropic’s official MCP Software Development Kits (SDKs). These SDKs span multiple programming languages, including Python, TypeScript, Java, and Rust, which means developers using MCP are unknowingly passing along this risk through the software supply chain.
Massive Blast Radius
OX Security’s research unveiled four distinct families of exploitation:
- Unauthenticated UI Injection in prominent AI frameworks.
- Hardening Bypasses in environments that should be secure, like Flowise.
- Zero-Click Prompt Injection targeting AI Integrated Development Environments (IDEs), including tools like Windsurf and Cursor.
- Malicious Marketplace Distribution, where nine out of eleven MCP registries were successfully infiltrated with a malicious test payload.
The researchers confirmed successful command execution on six live production platforms and found critical vulnerabilities in software products like LiteLLM, LangChain, and IBM’s LangFlow. Following their investigation, at least ten Common Vulnerabilities and Exposures (CVEs) were cataloged, many carrying Critical ratings. Specific affected products include:
- CVE-2026-30615 — Windsurf: A serious zero-click prompt injection leading to local RCE (Critical, Reported).
- CVE-2026-30623 — LiteLLM: Authenticated RCE via JSON configuration (Critical, Patched).
- CVE-2026-30617 — Langchain-Chatchat: Unauthenticated UI injection (Critical, Reported).
- CVE-2025-65720 — GPT Researcher: UI injection leading to a reverse shell (Critical, Reported).
- CVE-2026-30618 — Fay Framework: Unauthenticated Web-GUI RCE (Critical, Reported).
Despite being presented with multiple recommendations for root-level patches from OX Security, Anthropic reportedly characterized their recommendations as “expected,” choosing not to implement immediate fixes. The research team notified Anthropic of their intent to publish findings, and no objections were raised, highlighting a troubling lack of urgency in addressing the vulnerabilities that affect countless users.
Response and Recommendations
In light of these findings, OX Security has emphasized immediate actions organizations should undertake to mitigate risks:
- Restrict public internet access to AI services associated with sensitive APIs and databases.
- Treat all external MCP configuration input as untrusted, and prevent unfiltered user input from reaching critical functions.
- Only install MCP servers from verified sources, such as the official GitHub MCP Registry.
- Operate MCP-enabled services within sandboxed environments with limited permissions.
- Vigilantly monitor tool usage for any irregular background activity or potential data exfiltration attempts.
- Promptly upgrade all affected services and disable any unpatched versions until solutions are available.
Following their research, OX Security has rolled out new protections that can identify improper use of STDIO-based MCP configurations within AI-generated code. These new features flag vulnerable configurations in customer codebases, alerting organizations to take necessary action.
Interestingly, amidst these security concerns, Anthropic has recently introduced a new tool named Claude Mythos, aimed at enhancing software security. The researchers argue that the company should apply similar security standards to its own MCP architecture, adopting a “Secure by Design” approach.
The ongoing situation emphasizes the critical importance of addressing foundational issues in software architecture and the significant risks posed by vulnerabilities that can be inherited through the software supply chain. As the technology landscape continues to evolve, stakeholders must prioritize security to protect sensitive data and maintain user trust.