{"id":5159,"date":"2026-04-18T07:37:28","date_gmt":"2026-04-18T07:37:28","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/04\/18\/systemic-flaw-in-mcp-protocol-could-expose-150-million-downloads\/"},"modified":"2026-04-18T07:37:28","modified_gmt":"2026-04-18T07:37:28","slug":"systemic-flaw-in-mcp-protocol-could-expose-150-million-downloads","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/04\/18\/systemic-flaw-in-mcp-protocol-could-expose-150-million-downloads\/","title":{"rendered":"Systemic Flaw in MCP Protocol Could Expose 150 Million Downloads"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"https:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Security researchers have warned of a \u201ccritical, systemic\u201d vulnerability in the model context protocol (MCP) which could have a significant impact on the AI supply chain.<\/p>\n<p>MCP is a popular open source standard created by Anthropic which allows AI models to connect to external data and systems.<\/p>\n<p>However,\u00a0in a\u00a0report published on April 15, researchers at Ox Security claimed that a flaw in the protocol could enable arbitrary command execution on any vulnerable system, handing attackers access to sensitive user data, internal databases, API keys, and chat histories.<\/p>\n<p>\u201cThis is not a traditional coding error,\u201d warned the vendor.<\/p>\n<p>\u201cIt is an architectural design decision baked into Anthropic\u2019s official MCP SDKs across every supported programming language, including Python, TypeScript, Java, and Rust. Any developer building on the Anthropic MCP foundation unknowingly inherits this exposure.\u201d<\/p>\n<p>It said that over 200 open source projects, 150 million downloads, 7000+ publicly accessible servers and up to 200,000 vulnerable instances in total could be exposed by the vulnerability.<\/p>\n<p><em>Read more on MCP: Hundreds of MCP Servers at Risk of RCE and Data Leaks.<\/em><\/p>\n<p>According to Ox Security, the exploit mechanism is fairly straightforward.<\/p>\n<p>\u201cMCP\u2019s STDIO interface was designed to launch a local server process. But the command is executed regardless of whether the process starts successfully,\u201d it explained. \u201cPass in a malicious command, receive an error \u2013 and the command still runs. No sanitization warnings. No red flags in the developer toolchain. Nothing.\u201d<\/p>\n<p>In effect, this could result in complete takeover of a target\u2019s system.<\/p>\n<h2><strong>Who\u2019s to Blame?<\/strong><\/h2>\n<p>Ox Security said it has repeatedly tried to persuade Anthropic to patch the vulnerability. However, according to the report,\u00a0the AI giant said that this was \u201cexpected behavior.\u201d<\/p>\n<p>\u201cAnthropic confirmed the behavior is by design and declined to modify the protocol, stating the STDIO execution model represents a secure default and that sanitization is the developer\u2019s responsibility,\u201d Ox Security said.<\/p>\n<p>The company argued that pushing responsibility onto developers for securing their code, instead of securing the infrastructure it runs on, is dangerous given the community\u2019s track record on security.<\/p>\n<p>In the meantime, Ox Security has issued over 30 responsible disclosures and discovered over 10 high or critical-severity CVEs, to help patch individual open source projects.<\/p>\n<p>Kevin Curran,\u00a0IEEE\u00a0senior member and professor of cybersecurity at Ulster University, said the research exposed \u201ca shocking gap in the\u00a0security\u00a0of foundational AI infrastructure\u201d and that the researchers did the right thing.<\/p>\n<p>\u201cWe are trusting these systems with increasingly sensitive data and real-world actions. If the very protocol meant to connect AI agents is this fragile and its creators will not fix it then every company and developer building on top of it needs to treat this as an immediate wake-up call,\u201d he added.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Security researchers have warned of a \u201ccritical, systemic\u201d vulnerability in the model context protocol (MCP) which could have a significant impact on the AI supply chain. MCP is a popular open source standard created by Anthropic which allows AI models to connect to external data and systems. However,\u00a0in a\u00a0report published on April 15, researchers at<\/p>\n","protected":false},"author":2,"featured_media":5160,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5159","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5159-39d74ef9-10ab-43a2-9887-96ca48a1d701.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5159-39d74ef9-10ab-43a2-9887-96ca48a1d701-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5159-39d74ef9-10ab-43a2-9887-96ca48a1d701.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5159-39d74ef9-10ab-43a2-9887-96ca48a1d701.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5159-39d74ef9-10ab-43a2-9887-96ca48a1d701.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5159-39d74ef9-10ab-43a2-9887-96ca48a1d701.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5159-39d74ef9-10ab-43a2-9887-96ca48a1d701.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5159-39d74ef9-10ab-43a2-9887-96ca48a1d701.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5159-39d74ef9-10ab-43a2-9887-96ca48a1d701.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5159-39d74ef9-10ab-43a2-9887-96ca48a1d701.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5159-39d74ef9-10ab-43a2-9887-96ca48a1d701-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5159","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=5159"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5159\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/5160"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=5159"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=5159"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=5159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}