Researchers at OX Security disclosed last week a design-level flaw in Anthropic’s Model Context Protocol that turns the STDIO transport’s default configuration into a remote code execution vector across more than 7,000 publicly reachable MCP servers and 150 million package downloads. Anthropic has chosen not to amend the protocol — per The Hacker News, the company describes the behavior as “expected” and is leaving downstream implementers to harden their own code. The result is a class of vulnerability where the official SDK ships secure-on-paper across Python, TypeScript, Java, and Rust, but the on-the-ground deployments routinely inherit an unsafe default that runs attacker-supplied commands at startup.
The unsafe default at the core
OX Security’s team — Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok and Roni Bar — describe the flaw as configuration-to-command execution via the STDIO interface. MCP’s STDIO transport is the local-process pipe that connects an MCP client (a coding agent, an AI assistant) to a server (a tool that exposes data or actions). The handshake uses a configuration object to spawn the server process, and in the default flow that configuration is treated as trusted. An attacker who can influence the configuration — through a poisoned config file, a compromised registry entry, or a malicious extension — gets arbitrary command execution against any host running a vulnerable MCP server. From there the path to “sensitive user data, internal databases, API keys and chat histories” is short.
The list of affected projects reads like an inventory of the open-source agent ecosystem. Patched at the time of disclosure: LiteLLM (CVE-2026-30623), Bisheng (CVE-2026-33224) and DocsGPT (CVE-2026-26015). Unpatched at disclosure: GPT Researcher, Agent Zero, Fay Framework, Langchain-Chatchat, Jaaz, Upsonic, Windsurf and Flowise — each carrying its own CVE allocation and its own patch timeline.
Anthropic’s “expected” stance
The notable wrinkle is the upstream response. Anthropic, the protocol author, has reportedly declined to modify the architecture, classifying the unsafe-default behavior as expected. That stance is defensible from a protocol-design point of view: STDIO is a low-level transport, the configuration object was always meant to be trusted, and a well-implemented server can sanitise before spawning. It is also exactly the kind of position that produces this outcome — hundreds of independent implementers reading the spec, seeing the official SDK behave a certain way, and copying the pattern into their own servers without adding the sanitisation that the protocol assumed they would.
This is not the first time the same pattern has surfaced in the MCP neighborhood. Prior independent reports — CVE-2025-49596 in MCP Inspector, CVE-2026-22252 in LibreChat, CVE-2026-22688 in WeKnora, CVE-2025-54994 in @akoskm/create-mcp-server-stdio, and CVE-2025-54136 in Cursor — all occupy the same trust-boundary geography: configuration data crossing from client to server without the explicit guardrails the protocol assumes implementers will add.
What this means
For practitioners, three priorities follow.
First, treat MCP servers as production code, not dev tooling. The phrase “an open-source agent component” is doing a lot of work in change-management policy, and the supply-chain inventory of agent stacks needs to be a first-class artifact, not a notes-app list. If GPT Researcher or Flowise or Windsurf is in production, their CVEs need to enter the same SLA queue as Microsoft and Cisco — same patch deadlines, same exception-approval bar.
Second, audit MCP configuration files at rest. Any place a configuration object is read from disk, fetched from a registry, or pulled from a Git remote is a place an attacker can plant the payload. Restrict write access, sign configurations where the toolchain supports it, and treat unsigned or unverified configs as untrusted input — not as developer convenience.
Third, plan around upstream “expected behavior” stances becoming more common. As AI infrastructure matures, more vendors will publish protocols that hand the safe-default question to downstream implementers. The lesson from Spring Framework, from Log4j, from Jenkins is the same: when the official SDK is permissive by design, the ecosystem inherits the permissive default at scale, and the cleanup happens one CVE at a time.
