Anthropic won't own MCP 'design flaw' putting 200K servers at risk, researcher says

April 16, 2026
aisecurityprivacybusiness
A bold warning sign on a brick wall displaying 'Danger of Death', emphasizing caution.
Photo by James Thomas on Pexels

The problem, in plain English

It has been reported that a design flaw baked into Anthropic's open‑source Model Context Protocol (MCP) can let an attacker run arbitrary OS commands, potentially handing over complete control of affected servers. Short version: MCP uses STDIO as a local transport to spawn subprocess servers, and, allegedly, its logic returns a handle if any command creates an STDIO server — even when that command should not be trusted. Sounds small. It isn't. Who wants a protocol that hands strangers the keys to the kingdom?

How it unravels

Researchers from the Ox team say they repeatedly raised the root issue with Anthropic starting in November 2025 and were told the protocol's behavior was "expected." It has been reported that Ox opened more than 30 responsible‑disclosure threads and catalogued 10 high‑ and critical‑severity CVEs across tools and agents using MCP, arguing a single upstream fix could have reduced risk across packages with more than 150 million downloads. The paper the team published runs 30 pages; their message is blunt: the patching cavalry came late and piecemeal.

Scale and victims

The real sting: the vulnerability can be weaponized in multiple ways — unauthenticated or authenticated command injection, bypasses of hardening rules, and paths that lead straight to remote code execution. It has been reported that vulnerable projects include LangFlow, GPT Researcher (CVE‑2025‑65720), Upsonic (CVE‑2026‑30625) and Flowise (GHSA‑c9gw‑hvqq‑f33r), among others. Ox claims as many as 200,000 servers were exposed and millions of downstream users could have been impacted. Not a few developers are left scrambling to harden individual apps instead of fixing the protocol itself.

Response and why it matters

Anthropic did not respond to The Register's inquiries, and it has been reported that the company quietly updated guidance recommending caution with STDIO adapters — a move Ox says "didn't fix anything." This is a classic supply‑chain snag: patch a dozen apps or change the protocol? Which will you pick when time is short and stakes are high? The episode echoes past library‑level disasters and raises a blunt question for the industry: should vendors owning a protocol bear responsibility for fixing architectural pitfalls, or is that burden forever passed down the chain?

Sources: The Register