Critical MCP Vulnerability Exposes AI Ecosystem to Remote Command Execution
Security researchers at OX Security have uncovered a systemic design flaw in Anthropic’s Model Context Protocol (MCP), a widely adopted framework for AI agent communication. The vulnerability enables remote command execution (RCE), allowing attackers to fully compromise affected systems.
Unlike isolated software bugs, this flaw stems from MCP’s core architecture, making it difficult to mitigate universally. It affects official MCP SDKs across Python, Java, Rust, and TypeScript, with over 150 million downloads tied to MCP-based components. More than 7,000 publicly accessible MCP servers and an estimated 200,000 vulnerable instances worldwide amplify the risk, creating a software supply chain threat for developers integrating MCP into their applications.
Attack Vectors & Impact
The vulnerability enables multiple exploitation methods, including:
- Unauthenticated UI injection in AI frameworks
- Zero-click prompt injection in AI IDEs like Windsurf and Cursor
- Malicious package distribution via marketplace poisoning
- Security bypasses in protected environments, such as Flowise, where attackers can execute arbitrary commands, access databases, API keys, and sensitive data
Affected Tools & CVEs
The flaw has led to multiple CVE disclosures across popular AI tools:
- GPT Researcher (CVE-2025-65720)
- Agent Zero (CVE-2026-30624)
- Fay Framework (CVE-2026-30618)
- Langchain-Chatchat (CVE-2026-30617)
- Jaaz (CVE-2026-33224)
- Windsurf (CVE-2026-30615 – zero-click prompt injection)
- Upsonic (CVE-2026-30625 – allowlist bypass)
Some platforms, including LiteLLM and Bisheng, have released patches, but Anthropic has not altered MCP’s architecture, stating the behavior is "expected." This leaves organizations to implement their own safeguards, such as restricting public access to MCP services, treating inputs as untrusted, and running services in isolated environments.
The incident underscores the growing risks in AI supply chains and the need for secure-by-design architectures as AI adoption expands.
Source: https://cyberpress.org/critical-vulnerability-in-flowise/
Anthropic cybersecurity rating report: https://www.rankiteo.com/company/anthropicresearch
Cognition cybersecurity rating report: https://www.rankiteo.com/company/cognition-ai-labs
Agentics Foundation cybersecurity rating report: https://www.rankiteo.com/company/agentics-org
LiteLLM cybersecurity rating report: https://www.rankiteo.com/company/litellm
"id": "ANTCOGAGELIT1776429692",
"linkid": "anthropicresearch, cognition-ai-labs, agentics-org, litellm",
"type": "Vulnerability",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Developers and organizations '
'using MCP-based components',
'industry': 'Artificial Intelligence',
'name': 'Anthropic',
'type': 'AI Framework Provider'},
{'industry': 'Artificial Intelligence',
'name': 'GPT Researcher',
'type': 'AI Tool'},
{'industry': 'Artificial Intelligence',
'name': 'Agent Zero',
'type': 'AI Tool'},
{'industry': 'Artificial Intelligence',
'name': 'Fay Framework',
'type': 'AI Tool'},
{'industry': 'Artificial Intelligence',
'name': 'Langchain-Chatchat',
'type': 'AI Tool'},
{'industry': 'Artificial Intelligence',
'name': 'Jaaz',
'type': 'AI Tool'},
{'industry': 'Artificial Intelligence',
'name': 'Windsurf',
'type': 'AI IDE'},
{'industry': 'Artificial Intelligence',
'name': 'Upsonic',
'type': 'AI Tool'},
{'industry': 'Artificial Intelligence',
'name': 'LiteLLM',
'type': 'AI Tool'},
{'industry': 'Artificial Intelligence',
'name': 'Bisheng',
'type': 'AI Tool'},
{'industry': 'Artificial Intelligence',
'name': 'Flowise',
'type': 'AI Framework'}],
'attack_vector': ['Unauthenticated UI injection',
'Zero-click prompt injection',
'Malicious package distribution via marketplace poisoning',
'Security bypasses in protected environments'],
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Databases',
'API keys',
'Sensitive data']},
'description': 'Security researchers at OX Security uncovered a systemic '
'design flaw in Anthropic’s Model Context Protocol (MCP), '
'enabling remote command execution (RCE) and full system '
'compromise. The vulnerability stems from MCP’s core '
'architecture, affecting official SDKs across Python, Java, '
'Rust, and TypeScript, with over 150 million downloads and '
'200,000 vulnerable instances worldwide. The flaw allows '
'unauthenticated UI injection, zero-click prompt injection, '
'malicious package distribution, and security bypasses in AI '
'tools and frameworks.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'supply chain risks',
'data_compromised': ['Databases', 'API keys', 'Sensitive data'],
'operational_impact': 'Full system compromise, arbitrary command '
'execution',
'systems_affected': ['AI frameworks',
'AI IDEs (Windsurf, Cursor)',
'Protected environments (Flowise)']},
'lessons_learned': 'The incident underscores the growing risks in AI supply '
'chains and the need for secure-by-design architectures as '
'AI adoption expands.',
'post_incident_analysis': {'corrective_actions': ['Patches by affected tools',
'Organizational safeguards '
'(restricting access, '
'isolated environments)'],
'root_causes': 'Systemic design flaw in MCP’s core '
'architecture'},
'recommendations': ['Restrict public access to MCP services',
'Treat inputs as untrusted',
'Run services in isolated environments',
'Implement secure-by-design architectures'],
'references': [{'source': 'OX Security Research'}],
'response': {'containment_measures': ['Restricting public access to MCP '
'services',
'Treating inputs as untrusted',
'Running services in isolated '
'environments'],
'remediation_measures': ['Patches released by LiteLLM and '
'Bisheng']},
'title': 'Critical MCP Vulnerability Exposes AI Ecosystem to Remote Command '
'Execution',
'type': 'Remote Command Execution (RCE)',
'vulnerability_exploited': 'Systemic design flaw in Anthropic’s Model Context '
'Protocol (MCP)'}