April 20, 2026 A design issue in Model Context Protocol (MCP), an open-source standard developed by Anthropic, could allow attackers to execute arbitrary commands and take control of as many as 200,000 servers. The flaw stems from how MCP handles system-level command execution, creating a pathway to remote code execution across widely used AI tools and developer environments.
Security researchers from Ox say they raised the issue multiple times beginning in November 2025, but Anthropic declined to modify the protocol’s architecture, describing the behaviour as “expected.” In a published analysis, the researchers argued that a single protocol-level fix could have reduced risk across software packages with more than 150 million downloads.
MCP is designed to let large language models and AI agents connect to external systems, tools, and data sources across languages such as Python, TypeScript, Java, and Rust. At the core of the issue is MCP’s use of standard input/output (STDIO) to spawn server processes. According to the researchers, this mechanism can be abused to execute arbitrary operating system commands, even when those commands are not intended by the developer.
That behaviour creates multiple attack paths. The first involves unauthenticated or poorly sanitised command injection, allowing attackers to run commands directly on a server. The researchers said this could lead to full system compromise, particularly in AI applications with publicly accessible interfaces. Affected projects include LangFlow and GPT Researcher, the latter tracked under CVE-2025-65720.
A second class of attacks bypasses safeguards that restrict which commands can run. Even when frameworks such as Upsonic and Flowise limit execution to approved commands like “python” or “npm,” researchers demonstrated that malicious commands can be injected through command arguments, effectively sidestepping those protections.
The issue extends into developer tooling, with a third vulnerability category enabling prompt injection attacks in AI-powered coding environments such as Claude Code, Cursor, GitHub Copilot, and Gemini CLI. In at least one case, tracked as CVE-2026-30615 in Windsurf, the attack can occur with no user interaction, directly manipulating configuration files.
A fourth vector targets MCP marketplaces. Researchers said they were able to “poison” nine out of 11 directories that distribute MCP integrations, using a proof-of-concept that executes harmless commands. The concern is that a malicious entry could be installed by thousands of developers, granting attackers command execution on their machines.
Anthropic updated its security guidance following initial disclosures, advising caution when using certain MCP adapters. Researchers said the change does not address the underlying issue.
