Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain

Staff Editor 2026-04-20
Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain

Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain

https://thehackernews.com/2026/04/anthropic-mcp-design-vulnerability.html

Publish Date: 2026-04-20 06:42:00

Source Domain: thehackernews.com

Ravie LakshmananApr 20, 2026Artificial Intelligence / Vulnerability

Cybersecurity researchers have discovered a critical “by design” weakness in the Model Context Protocol’s (MCP) architecture that could pave the way for remote code execution and have a cascading effect on the artificial intelligence (AI) supply chain.

“This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to sensitive user data, internal databases, API keys, and chat histories,” OX Security researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar said in an analysis published last week.

The cybersecurity company said the systemic vulnerability is baked into Anthropic’s official MCP software development kit (SDK) across any supported language, including Python, TypeScript, Java, and Rust. In all, it affects more than 7,000 publicly accessible servers and software packages totaling more than 150 million downloads.

At issue are unsafe defaults in how MCP configuration works over the STDIO (standard input/output) transport interface, resulting in the discovery of 10 vulnerabilities spanning popular projects like LiteLLM, LangChain, LangFlow, Flowise, LettaAI, and LangBot –

  • CVE-2025-65720 (GPT Researcher)
  • CVE-2026-30623 (LiteLLM) – Patched
  • CVE-2026-30624 (Agent Zero)
  • CVE-2026-30618 (Fay Framework)
  • CVE-2026-33224 (Bisheng) – Patched
  • CVE-2026-30617 (Langchain-Chatchat)
  • CVE-2026-33224 (Jaaz)
  • CVE-2026-30625 (Upsonic)
  • CVE-2026-30615 (Windsurf)
  • CVE-2026-26015 (DocsGPT) – Patched
  • CVE-2026-40933 (Flowise)

These vulnerabilities fall under four broad categories, effectively triggering remote command execution on the server –

  • Unauthenticated and authenticated command injection via MCP STDIO
  • Unauthenticated command injection via direct STDIO configuration with hardening bypass
  • Unauthenticated command injection via MCP configuration edit through zero-click prompt injection
  • Unauthenticated…

Source

More Stories

Accelerating cloud-powered cybersecurity learning with IBM Cyber Campus and AWS

Accelerating cloud-powered cybersecurity learning with IBM Cyber Campus and AWS

Staff Editor 2026-06-07
DentaQuest Breach: ShinyHunters Publish Data Impacting 2.6M People

DentaQuest Breach: ShinyHunters Publish Data Impacting 2.6M People

Staff Editor 2026-06-07
Security Affairs newsletter Round 580 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs newsletter Round 580 by Pierluigi Paganini – INTERNATIONAL EDITION

Staff Editor 2026-06-07

Terms and Conditions - Privacy Policy