Anthropic's Model Context Protocol includes a critical remote code execution vulnerability — newly discovered exploit puts 200,000 AI servers at risk

Apr 22, 2026 - 17:31
0 5
Anthropic's Model Context Protocol includes a critical remote code execution vulnerability — newly discovered exploit puts 200,000 AI servers at risk
Anthropic Claude (Image credit: Getty Images)

Security researchers at OX Security have exposed an architectural vulnerability in Anthropic's Model Context Protocol (MCP) that enables arbitrary remote code execution on any system running a vulnerable implementation. The flaw affects MCP's official SDKs across Python, TypeScript, Java, and Rust, and ripples through a supply chain spanning more than 150 million downloads and up to 200,000 server instances. Surprisingly, Anthropic declined to patch the protocol in response, telling researchers the behavior was "expected."

MCP is the open standard Anthropic created in late 2024 to let AI models connect to external tools, databases, and APIs. It was donated to the Linux Foundation's Agentic AI Foundation last December and has since been adopted by OpenAI, Google, and most major AI coding tools.

Article continues below

OX Security said it repeatedly recommended a protocol-level fix to Anthropic, such as manifest-only execution or a command allowlist in the SDKs, that would have protected downstream users immediately, but Anthropic reportedly declined and didn’t object when the researchers said they intended to publish their report.

Ironically, the exposure comes less than a week after Anthropic launched Claude Mythos, a frontier model it’s hyping up as a tool to find security vulnerabilities in other organizations' software. That irony wasn’t lost on OX’s researchers, who noted that the findings were “a call to action” for Anthropic to apply that same commitment in its own infrastructure.

Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.

MCP is now under the Linux Foundation’s governance, but it’s still Anthropic that’s responsible for maintaining the reference SDKs where the vulnerability originates. Until its STDIO handling is changed at source, project maintainers will have to implement their own input sanitization.

Google Preferred Source

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

Luke James is a freelance writer and journalist.  Although his background is in legal, he has a personal interest in all things tech, especially hardware and microelectronics, and anything regulatory. 

What's Your Reaction?

Like Like 0
Dislike Dislike 0
Love Love 0
Funny Funny 0
Wow Wow 0
Sad Sad 0
Angry Angry 0

Comments (0)

User