A single architectural decision baked into Anthropic's Model Context Protocol has quietly turned the backbone of the AI agent ecosystem into a remote code execution (RCE) machine — one that ran undetected across more than 200,000 servers, 150 million downloads, and dozens of tools that millions of developers trust every day.
OX Security researchers disclosed the findings today in a report they're calling "The Mother of All AI Supply Chains" — the result of a months-long investigation that began in November 2025 and produced over 30 responsible disclosures, 10+ Critical and High CVEs, and direct proof-of-concept exploitation on six live production platforms with real paying customers.
The Root Cause: A Design Choice, Not a Coding Mistake
The vulnerability lives inside Anthropic's modelcontextprotocol SDK — specifically its STDIO interface, which is designed to launch local server processes and hand control to an AI model. The problem is that the underlying process execution logic runs any OS command passed to it, regardless of whether that command actually starts a valid MCP server. If the fake server fails to start, the code returns an error — but the command still executes. No sanitisation. No warning to the developer. Nothing.
 |
| MCP STDIO Process Execution Behaviour | Image- OX Security |
This isn't a typo in someone's codebase. It's present across every language Anthropic officially supports: Python, TypeScript, Java, Kotlin, C#, Go, Ruby, Swift, PHP, and Rust. Any developer who builds on the MCP foundation inherits the exposure automatically, whether they know it or not.
How Bad Did It Get? Researchers Showed RCE on Live Platforms
OX researchers identified four distinct exploitation families and demonstrated each one in the wild.
On LangFlow — an IBM-owned open-source automation framework with over 915 publicly accessible instances on Shodan — attackers don't even need an account. A session token is freely available to any unauthenticated visitor. Researchers used it to push a malicious MCP STDIO configuration, enabling a full server takeover. The flaw was reported in January 2026; it took until March 18 for LangFlow maintainers to formally acknowledge it.
On Letta AI (app.letta.com), a production platform for building stateful AI agents, researchers intercepted a "Test Connection" network request via a man-in-the-middle proxy, replaced the HTTP payload with a STDIO configuration, and executed arbitrary commands directly on Letta's production servers.
Flowise had actually tried to prevent this — they restricted allowed commands and stripped special characters. Researchers bypassed it in a single step: passing arbitrary commands through npx's -c flag, which Flowise permitted. The lesson, the researchers note, is that ad-hoc input filtering is meaningless when the underlying architecture allows arbitrary subprocess execution.
The fourth attack family targets developers directly. AI-powered IDEs, including Windsurf, Cursor, Claude Code, Gemini-CLI, and GitHub Copilot, all support MCP configuration files that AI agents can modify.
Windsurf was the most severe: a victim visiting a malicious website could have arbitrary commands executed on their local machine without a single click of approval, earning CVE-2026-30615. The other IDEs require at least one user interaction before the MCP config file is modified — enough for vendors like Anthropic and Microsoft to classify the behaviour as "by design."
| Family | CVE ID | Product | Attack Vector | Severity | Status |
|---|---|---|---|---|---|
| Direct UI Injection | In Progress | LangFlow | Unauthenticated UI injection via token | Critical | Reported |
| Direct UI Injection | CVE-2025-65720 | GPT Researcher | UI injection / reverse shell | Critical | Reported |
| Direct UI Injection | CVE-2026-30623 | LiteLLM | Authenticated RCE via JSON config | Critical | Patched |
| Direct UI Injection | CVE-2026-30624 | Agent Zero | Unauthenticated UI injection | Critical | Reported |
| Direct UI Injection | Unassigned | LangBot | Unauthenticated UI injection | Critical | Reported |
| Direct UI Injection | Unassigned | Undisclosed 3 | Authenticated UI injection | Critical | Patched |
| Direct UI Injection | CVE-2026-30618 | Fay Framework | Unauthenticated Web-GUI RCE | Critical | Reported |
| Direct UI Injection | CVE-2026-33224 | Bisheng | Authenticated UI injection (Open Registration) | Critical | Patched |
| Direct UI Injection | CVE-2026-30617 | Langchain-Chatchat | Unauthenticated UI injection | Critical | Reported |
| Direct UI Injection | CVE-2026-33224 | Jaaz | Unauthenticated UI injection | Critical | Reported |
| Direct UI Injection | In Progress | Undisclosed 1 | Unauthenticated UI injection | Critical | Reported |
| Direct UI Injection | No CVE Issued | Firebase Studio | Authenticated STDIO injection | Critical | Reported |
| Direct UI Injection | No CVE Issued | promptfoo | Unauthenticated UI injection | Critical | Reported |
| Direct UI Injection | No CVE Issued | OpenHands | Unauthenticated UI injection | Critical | Reported |
| Hardening Bypass | CVE-2026-30625 | Usopnic | Allowlist bypass via npx/npm args | High | Warning |
| Hardening Bypass | GHSA-c9gw-hvqq | Flowise | Allowlist bypass via npx -c | High | Patched |
| Prompt Injection | CVE-2026-30615 | Windsurf | Zero-click prompt injection to local RCE | Critical | Reported |
| Prompt Injection | No CVE Issued | Cursor | Prompt injection (requires click) | Critical | By Design |
| Prompt Injection | No CVE Issued | Claude Code | Prompt injection (requires click) | Critical | By Design |
| Prompt Injection | No CVE Issued | Gemini-CLI | Prompt injection (requires click) | Critical | By Design |
| Prompt Injection | No CVE Issued | GitHub Copilot VScode | Prompt injection (requires click) | Critical | By Design |
| Hidden STDIO Config | CVE-2026-26015 | DocsGPT | MITM transport-type substitution | Critical | Patched |
| Hidden STDIO Config | Unassigned | LettaAI | MITM transport-type substitution | Critical | Patched |
| Hidden STDIO Config | In Progress | Undisclosed 2 | MCP STDIO Injection via Agent Framework | Critical | Reported |
| Root & Transport Layer | No CVE Issued | MCP (Anthropic) | Injection via MCP transport layer | Critical | Reported |
| Root & Transport Layer | No CVE Issued | LangChain | Injection via MCP transport layer | Critical | Reported |
| Root & Transport Layer | No CVE Issued | FastMCP | Injection via MCP transport layer | Critical | Reported |
| Root & Transport Layer | No CVE Issued | browser-use | Injection via MCP transport layer | Critical | Reported |
| Root & Transport Layer | No CVE Issued | awslabs Run MCP (AWS Lambda) | Injection via MCP transport layer | Critical | Reported |
| Root & Transport Layer | No CVE Issued | NVIDIA NeMo Agent Toolkit | Injection via MCP transport layer | Critical | Reported |
Anthropic Was Told. It Said No.
OX contacted Anthropic on January 7, 2026. The response: expected behaviour. Anthropic did update its SECURITY.md file nine days later to clarify that STDIO adapters should be used with caution — but made no architectural changes. OX notified Anthropic of its intent to publish; Anthropic raised no objection.
Meanwhile, the researchers uploaded a proof-of-concept malicious MCP server to 11 major MCP marketplaces. Nine accepted it without any security review. Only GitHub's managed registry blocked the submission.
What You Should Do Now
If you run any MCP-enabled service, the immediate steps are: never expose these services to public IP addresses, treat any user input that reaches STDIO configuration as untrusted, sandbox MCP processes with restricted permissions, and install updates for any affected service that has issued a patch. LiteLLM (CVE-2026-30623), DocsGPT (CVE-2026-26015), Flowise, and Bisheng have been patched; LangFlow, Agent Zero, Fay Framework, and others remain reported but unresolved at the application layer. The root vulnerability in Anthropic's protocol itself remains open.