Cybersecurity researchers have discovered a critical “by design” weakness in the Model Context Protocol’s (MCP) architecture that could pave the way for remote code execution and have a cascading effect on the artificial intelligence (AI) supply chain. “This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to sensitive user data, internal databases, API keys, and chat histories,” OX Security researchers said in an analysis published last week.
The cybersecurity company said the systemic vulnerability is baked into Anthropic’s official MCP software development kit (SDK) across any supported language, including Python, TypeScript, Java, and Rust. In all, it affects more than 7,000 publicly accessible servers and software packages totalling more than 150 million downloads.
At issue are unsafe defaults in how MCP configuration works over the STDIO (standard input/output) transport interface, resulting in the discovery of 10 vulnerabilities spanning popular projects like LiteLLM, LangChain, LangFlow, Flowise, LettaAI, and LangBot. These vulnerabilities effectively trigger remote command execution on the server through multiple vectors including unauthenticated command injection via MCP STDIO and zero-click prompt injection.
Anthropic has declined to modify the protocol’s architecture, citing the behaviour as “expected.” While some of the vendors have issued patches, the shortcoming remains unaddressed in Anthropic’s MCP reference implementation, causing developers to inherit the code execution risks. OX Security said: “What made this a supply chain event rather than a single CVE is that one architectural decision, made once, propagated silently into every language, every downstream library, and every project that trusted the protocol to be what it appeared to be.”
Click here for the original article.

