Critical AI Framework Vulnerability Exposes Millions to Remote Code Execution
Researchers at OX Security have uncovered a severe architectural flaw in the Model Context Protocol (MCP), a communication standard developed by Anthropic and embedded in AI frameworks across Python, TypeScript, Java, and Rust. The vulnerability enables remote code execution (RCE), exposing sensitive data including API keys, internal databases, and chat histories across the AI supply chain.
The flaw affects Flowise, a widely used open-source AI workflow builder, and extends to over 200,000 vulnerable instances, with 150 million downloads and 7,000 publicly accessible servers at risk. During testing, OX Security successfully executed live commands on six production platforms, demonstrating the flaw’s real-world impact.
Key Exploitation Vectors Identified:
- Unauthenticated UI injection in major AI frameworks.
- Hardening bypasses in "protected" environments like Flowise.
- Zero-click prompt injection in AI IDEs (e.g., Windsurf, Cursor).
- Malicious MCP server distribution, with 9 out of 11 registries compromised in testing.
At least ten CVEs have been issued, covering critical vulnerabilities in platforms such as LiteLLM, LangChain, GPT Researcher, DocsGPT, and IBM’s LangFlow.
Despite OX Security’s recommendations for root-level patches, Anthropic declined to implement protocol-wide fixes, describing the behavior as "expected." The company did not oppose the public disclosure of the findings.
The incident underscores systemic risks in AI infrastructure, with the flaw inherited by any developer building on MCP expanding the attack surface across the ecosystem. Security teams are advised to restrict public exposure of AI services, treat MCP inputs as untrusted, and enforce sandboxed environments. Patches for affected platforms are now available.
Source: https://cybersecuritynews.com/flowise-vulnerability/
Anthropic cybersecurity rating report: https://www.rankiteo.com/company/anthropicresearch
Arc53 cybersecurity rating report: https://www.rankiteo.com/company/arc53
FlowiseAI cybersecurity rating report: https://www.rankiteo.com/company/flowiseai
IBM cybersecurity rating report: https://www.rankiteo.com/company/ibm
"id": "ANTARCFLOIBM1776659058",
"linkid": "anthropicresearch, arc53, flowiseai, ibm",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Over 200,000 vulnerable '
'instances, 150 million '
'downloads, 7,000 publicly '
'accessible servers',
'industry': 'AI/Technology',
'name': 'Flowise',
'type': 'Open-source AI workflow builder'},
{'industry': 'AI/Technology',
'name': 'Anthropic',
'type': 'AI framework developer'},
{'industry': 'AI/Technology',
'name': 'LiteLLM',
'type': 'AI platform'},
{'industry': 'AI/Technology',
'name': 'LangChain',
'type': 'AI platform'},
{'industry': 'AI/Technology',
'name': 'GPT Researcher',
'type': 'AI platform'},
{'industry': 'AI/Technology',
'name': 'DocsGPT',
'type': 'AI platform'},
{'industry': 'AI/Technology',
'name': 'IBM’s LangFlow',
'type': 'AI platform'}],
'attack_vector': ['Unauthenticated UI injection',
'Hardening bypasses',
'Zero-click prompt injection',
'Malicious MCP server distribution'],
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': ['API keys',
'Internal databases',
'Chat histories']},
'description': 'Researchers at OX Security uncovered a severe architectural '
'flaw in the Model Context Protocol (MCP), a communication '
'standard developed by Anthropic and embedded in AI frameworks '
'across Python, TypeScript, Java, and Rust. The vulnerability '
'enables remote code execution (RCE), exposing sensitive data '
'including API keys, internal databases, and chat histories '
'across the AI supply chain. The flaw affects Flowise, a '
'widely used open-source AI workflow builder, and extends to '
'over 200,000 vulnerable instances, with 150 million downloads '
'and 7,000 publicly accessible servers at risk.',
'impact': {'brand_reputation_impact': 'Systemic risks in AI infrastructure '
'highlighted',
'data_compromised': ['API keys',
'Internal databases',
'Chat histories'],
'operational_impact': 'Exposure of sensitive data and potential '
'remote code execution across AI supply '
'chain',
'systems_affected': 'AI frameworks (Python, TypeScript, Java, '
'Rust), Flowise, LiteLLM, LangChain, GPT '
'Researcher, DocsGPT, IBM’s LangFlow'},
'investigation_status': 'Publicly disclosed, patches available',
'lessons_learned': 'Systemic risks in AI infrastructure, need for root-level '
'patches and secure development practices',
'post_incident_analysis': {'corrective_actions': 'Root-level patches, '
'sandboxing, input '
'validation, restricted '
'public exposure',
'root_causes': 'Architectural flaw in Model '
'Context Protocol (MCP), lack of '
'input validation, insecure default '
'configurations'},
'recommendations': ['Restrict public exposure of AI services',
'Treat MCP inputs as untrusted',
'Enforce sandboxed environments',
'Apply available patches'],
'references': [{'source': 'OX Security'}],
'response': {'containment_measures': ['Restrict public exposure of AI '
'services',
'Treat MCP inputs as untrusted',
'Enforce sandboxed environments'],
'remediation_measures': 'Patches for affected platforms are now '
'available'},
'title': 'Critical AI Framework Vulnerability Exposes Millions to Remote Code '
'Execution',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'Architectural flaw in Model Context Protocol '
'(MCP)'}