Back

Design Flaw in MCP Endangers 200K Servers, Researchers Warn

Severity: High (Score: 69.8)

Sources: Theregister, www.ox.security

Summary

A design flaw in Anthropic's Model Context Protocol (MCP) threatens approximately 200,000 servers with complete takeover, according to the Ox research team. Despite multiple requests for a patch, Anthropic maintains that the protocol functions as intended, leading to the issuance of 10 high- and critical-severity CVEs for related tools. The researchers argue that a root patch could mitigate risks across software packages with over 150 million downloads. The flaw allows unauthenticated command injection, enabling attackers to execute arbitrary OS commands on vulnerable servers. Affected projects include LangFlow and GPT Researcher, with no CVEs issued for these tools yet. Anthropic's recent security policy update advises caution with MCP adapters but does not address the core issue. The research began in November 2025 and involved over 30 responsible disclosures. Anthropic has not responded to inquiries regarding the situation. Key Points: • A design flaw in MCP affects 200,000 servers, allowing potential complete takeover. • Ox researchers reported the issue to Anthropic but received no action on a root patch. • The flaw enables unauthenticated command injection, impacting multiple open-source AI tools.

Key Entities

  • Command Injection (attack_type)
  • CVE-2025-65720 (cve)
  • CVE-2026-30615 (cve)
  • CVE-2026-30625 (cve)
  • CWE-78 - OS Command Injection (cwe)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • Claude Code (tool)
  • Gemini-CLI (tool)
  • GitHub Copilot (tool)
  • GPT Researcher (tool)
  • Upsonic (tool)
  • Cursor (company)
  • Langflow (company)
  • Flowise (platform)
  • Windsurf (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed