A critical flaw in Anthropic’s Model Context Protocol could expose more than 150 million downloads to potential compromise and enable full system takeover across as many as 200,000 servers, according to findings by the OX Security Research team.
Architectural Flaw Spans Multiple SDKs
The researchers said the issue stems from a fundamental design decision embedded in Anthropic’s official MCP software development kits across all supported programming languages, including Python, TypeScript, Java and Rust. Unlike a conventional coding error, the flaw was described as architectural, meaning developers building on the MCP foundation may inherit the exposure from the outset.
The vulnerability enables arbitrary command execution on any system running a vulnerable MCP implementation. Successful exploitation could give attackers access to sensitive user data, internal databases, API keys and chat histories, effectively handing over complete control of the affected environment.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
Researchers Cite Multiple Attack Paths
The research outlines several attack routes, including unauthenticated UI injection targeting popular AI frameworks, hardening bypasses in environments described as protected, and zero-click prompt injection in AI development tools including Windsurf and Cursor. It also points to malicious marketplace distribution, stating that 9 out of 11 MCP registries were successfully poisoned with a malicious test payload.
OX Security said it confirmed successful command execution on six live production platforms. There are vulnerabilities in LiteLLM, LangChain and IBM’s LangFlow among the affected projects.
Patches Issued in Several Cases
The research is said to have produced at least 10 CVEs across multiple high-profile projects. The material states that several critical flaws have already been patched, including CVE-2026-30623 in LiteLLM and CVE-2026-33224 in Bisheng.
There are not any response from Anthropic yet, but the findings present the flaw as a broad risk affecting systems built on vulnerable MCP implementations.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
