CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs May 23, 2026

Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain - The Hacker News

The Hacker News Archived May 23, 2026 ✓ Full text saved

Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain The Hacker News

Full text archived locally
✦ AI Summary · Claude Sonnet


    Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Ravie LakshmananApr 20, 2026Artificial Intelligence / Vulnerability Cybersecurity researchers have discovered a critical "by design" weakness in the Model Context Protocol's (MCP) architecture that could pave the way for remote code execution and have a cascading effect on the artificial intelligence (AI) supply chain. "This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to sensitive user data, internal databases, API keys, and chat histories," OX Security researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar said in an analysis published last week. The cybersecurity company said the systemic vulnerability is baked into Anthropic's official MCP software development kit (SDK) across any supported language, including Python, TypeScript, Java, and Rust. In all, it affects more than 7,000 publicly accessible servers and software packages totaling more than 150 million downloads. At issue are unsafe defaults in how MCP configuration works over the STDIO (standard input/output) transport interface, resulting in the discovery of 10 vulnerabilities spanning popular projects like LiteLLM, LangChain, LangFlow, Flowise, LettaAI, and LangBot - CVE-2025-65720 (GPT Researcher) CVE-2026-30623 (LiteLLM) - Patched CVE-2026-30624 (Agent Zero) CVE-2026-30618 (Fay Framework) CVE-2026-33224 (Bisheng) - Patched CVE-2026-30617 (Langchain-Chatchat) CVE-2026-33224 (Jaaz) CVE-2026-30625 (Upsonic) CVE-2026-30615 (Windsurf) CVE-2026-26015 (DocsGPT) - Patched CVE-2026-40933 (Flowise) These vulnerabilities fall under four broad categories, effectively triggering remote command execution on the server - Unauthenticated and authenticated command injection via MCP STDIO Unauthenticated command injection via direct STDIO configuration with hardening bypass Unauthenticated command injection via MCP configuration edit through zero-click prompt injection Unauthenticated command injection through MCP marketplaces via network requests, triggering hidden STDIO configurations "Anthropic's Model Context Protocol gives a direct configuration-to-command execution via their STDIO interface on all of their implementations, regardless of programming language," the researchers explained. "As this code was meant to be used in order to start a local STDIO server, and give a handle of the STDIO back to the LLM. But in practice it actually lets anyone run any arbitrary OS command, if the command successfully creates an STDIO server it will return the handle, but when given a different command, it returns an error after the command is executed." Interestingly, vulnerabilities based on the same core issue have been reported independently over the past year. They include CVE-2025-49596 (MCP Inspector), CVE-2026-22252 (LibreChat), CVE-2026-22688 (WeKnora), CVE-2025-54994 (@akoskm/create-mcp-server-stdio), and CVE-2025-54136 (Cursor). Anthropic, however, has declined to modify the protocol's architecture, citing the behavior as "expected." While some of the vendors have issued patches, the shortcoming remains unaddressed in Anthropic's MCP reference implementation, causing developers to inherit the code execution risks. The findings highlight how AI-powered integrations can inadvertently expand the attack surface. To counter the threat, it's advised to block public IP access to sensitive services, monitor MCP tool invocations, run MCP-enabled services in a sandbox, treat external MCP configuration input as untrusted, and only install MCP servers from verified sources. "What made this a supply chain event rather than a single CVE is that one architectural decision, made once, propagated silently into every language, every downstream library, and every project that trusted the protocol to be what it appeared to be," OX Security said. "Shifting responsibility to implementers does not transfer the risk. It just obscures who created it." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Anthropic, Application Security, artificial intelligence, Command Injection, cybersecurity, remote code execution, software development, Supply Chain Security, Vulnerability ⚡ Top Stories This Week Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Load More ▼ ⭐ Featured Resources Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage [Webinar] Learn How to Handle Critical SOC Alerts With AI Support
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    May 23, 2026
    Archived
    May 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗