AI Autopsy: A Systemic Flaw in MCP Puts the Agentic AI Supply Chain at Risk

When is a coding error an architectural design? When Anthropic is the developer. Its model context protocol (MCP) is the de facto industry standard for connecting AI models to the places where data lives. As such, it’s at the heart of agentic AI development and integrated into open-source projects far and wide.

But what happens when a ‘systemic’ flaw appears in that protocol, and its designer refuses to patch it? The world is about to find out. According to researchers, software packages with over 150 million downloads may already be impacted.

How does the vulnerability work?

Ox Security researchers uncovered the vulnerability while analysing an open-source project known as GPT Researcher, and soon traced it back to MCP and Anthropic. It relates to the way MCP uses STDIO to allow an AI to connect to a data source.

“MCP adapters give developers the ability to run any custom local MCP server on their machine. If the command starts an MCP server on STDIO, the code returns success, and the communication between the MCP and server starts,” Ox Security wrote. “But if the command fails, it just returns an error. The problem is that the command is still executed in this ‘return error’ scenario. Abusing this logic is the basis of an arbitrary command execution vulnerability we found in many projects directly using Anthropic’s MCP.”

“Employees using AI coding tools, such as IDEs and coding agents, are exposed via their MCP configurations”
Moshe Siman Tov Bustan

Because MCP, by design, sits at the most sensitive point in any AI stack, the bug could allow threat actors to access customer records and private conversations, source code repositories, internal database and file systems, and API keys and authentication credentials. Most concerning of all, it could enable remote code execution and the deployment of malicious workloads on a targeted system.

Ox Security discovered four distinct attack vectors. The first is the most straightforward: unauthenticated user interface injection, which allows an attacker to enter commands that run directly on the server. The second, hardening bypass, allows attackers to circumvent sandboxes that developers may have implemented, once again enabling them to run commands on the targeted server.

A third attack vector is a zero-click prompt injection that works across AI-integrated development environments (IDEs) and coding assistants, tricking tools into modifying the MCP configuration to insert arbitrary command execution. Finally, attackers could poison the MCP marketplaces by uploading malicious MCP servers that generate malware on installation.

The downstream impact

Anthropic has steadfastly refused to fix the issue, citing the behaviour as “expected”. Instead, the firm updated its security policy to clarify that developers should take care when using STDIO MCP adapters. The result is to push responsibility for securing MCP deployments down to the wider open-source community.

“If a vendor can’t respond to a responsible disclosure, that’s a signal they may have other unpatched issues”
Jeremy Brown

Ox Security said the blast radius is “massive”. It has already executed commands on six live production platforms, identifying critical vulnerabilities in LiteLLM, LangChain, and IBM’s LangFlow. It is working to patch individual projects with these communities, who have already issued 10 critical or high-severity CVEs. The researchers were also able to compromise thousands of public servers across more than 200 projects and upload a malicious proof-of-concept MCP server to 9 of 11 marketplaces.

The security vendor claims that over 7,000 publicly accessible servers and up to 200,000 vulnerable MCP servers could be exposed.

“The most dangerous scenario is what we call shadow IT: MCP-enabled servers such as Flowise and LangFlow running inside organisations, connected to sensitive data, that nobody is monitoring. If those servers are exposed to the internet, they’re a silent breach waiting to happen,” Ox Security research team lead, Moshe Siman Tov Bustan, tells Assured Intelligence.

“Developer machines are the new perimeter. Employees using AI coding tools, such as IDEs and coding agents, are exposed via their MCP configurations. A threat actor who can modify a developer’s MCP configuration file can execute arbitrary commands on that machine – and from there, move laterally through the organisation.”

Architecture, inventory and credential exposure

GitGuardian CTO Jeremy Brown tells Assured Intelligence that CISOs must respond by addressing three elements: architecture, inventory, and credential exposure.

“First, treat MCP as a supply-chain control problem and push teams to remove unsafe execution paths, require explicit approval for dangerous behaviours, and tightly govern any marketplace or third-party MCP components,” he says. “Second, build a real inventory of where MCP is running, which tools can modify its configuration, which services it can reach, and which business systems sit behind those connections. That gives you the blast radius.”

Finally, security leaders should assume secrets are scattered across the environment and reduce their value to attackers by minimising permissions, shortening credential lifetimes and continuously monitoring for exposure, Brown advises.

“Abusing this logic is the basis of an arbitrary command execution vulnerability we found in many projects directly using Anthropic’s MCP”
Ox Security

Ox Security’s Bustan goes further. He suggests that CISOs block access to unofficial MCP marketplaces and use only the official GitHub MCP Registry, which doesn’t allow unvetted server uploads. Security teams should also block prompt injection and monitor for unusual activity on developer machines. And “think carefully” about which tools to allow in their environments.

“Windsurf is a particular concern,” he claims. “Their security team didn’t respond to our disclosure, and the issue remains unpatched. If a vendor can’t respond to a responsible disclosure, that’s a signal they may have other unpatched issues.”

CISOs should also run an audit of MCP-enabled servers, update where possible, change default passwords, add MFA and run them in isolated environments separate from the main corporate network, Bustan adds. If organisations’ products use the official MCP SDK or dependent packages like LangChain MCP Adapters, user input reaching certain SDK functions can result in direct command execution on the server, he warns. CISOs should therefore block MCP STDIO by default if possible, or at least sanitise user input or use a predefined allowlist of accepted commands.

Do you believe the hype?

The advice from Kevin Curran, an IEEE senior member and professor of cybersecurity at Ulster University, broadly echoes the points listed above. He argues that a combination of “inventory, containment, supply chain control, credential segmentation, runtime guardrails and policy” will go a long way to mitigating the risks Ox Security describes.

However, he’s more cautious about the framing of the research itself. As has been argued elsewhere, the vulnerability “looks more like an application-level input validation failure” than a bug in the protocol itself. That makes Anthropic’s position – that sanitisation sits with the developer – less controversial than it may seem.

That said, the findings should be treated with the gravity they deserve, for three reasons, Curran says. “First, the STDIO transport is the default on-ramp for nearly every major agentic development tool. Second, MCP servers are being distributed through npm, PyPI and GitHub with minimal provenance checks,” Curran continues. “Third, the ‘by design’ stance means the fix lives at thousands of integration points rather than in one protocol revision so that misconfigurations will persist for years.”

In time, agentic AI and some form of MCP will be deployed in most organisations. For CISOs, that means if this research isn’t relevant today, it most likely will be tomorrow.