Critical Anthropic MCP Vulnerability Enables Remote Code Execution Attacks

A critical vulnerability in Anthropic’s Model Context Protocol (MCP) is putting millions of systems at risk of full compromise, according to new research released by OX Security on April 15, 2026.

The flaw, which affects MCP implementations across multiple programming environments, could enable attackers to execute arbitrary code remotely and gain access to sensitive data.

Researchers estimate the exposure impacts over 150 million MCP-related downloads and up to 200,000 active servers.

The vulnerability allows attackers to access internal databases, API keys, chat histories, and other confidential information without requiring user interaction in some cases.

Unlike traditional security flaws, this issue is not caused by a coding mistake. Instead, OX Security identified it as a fundamental architectural weakness embedded in Anthropic’s official MCP software development kits (SDKs).

The flaw exists across all supported languages, including Python, TypeScript, Java, and Rust, meaning any developer using MCP may unknowingly inherit the risk through their software supply chain.

Multiple Exploitation Paths Identified

OX Security researchers uncovered four primary attack methods tied to the vulnerability:

• Unauthenticated UI injection in widely used AI frameworks
• Security hardening bypasses in platforms like Flowise
• Zero-click prompt injection targeting AI IDEs such as Windsurf and Cursor
• Malicious payload distribution through MCP registries, with 9 out of 11 tested registries successfully compromised

The team confirmed successful remote command execution on six live production platforms. Additional vulnerabilities were identified in popular tools, including LiteLLM, LangChain, and IBM’s LangFlow.

The research led to the disclosure of at least 10 vulnerabilities, many rated critical.

Notable examples include:

• CVE-2026-30615: Windsurf zero-click prompt injection leading to local RCE
• CVE-2026-30623: LiteLLM authenticated RCE via JSON configuration (patched)
• CVE-2026-30617: LangChain-Chatchat unauthenticated UI injection
• CVE-2025-65720: GPT Researcher reverse shell via UI injection
• CVE-2026-30618: Fay framework unauthenticated web GUI RCE

Despite responsible disclosure efforts, the root issue remains unresolved at the protocol level.

OX Security reported that Anthropic classified the behavior as “expected,” declining to implement immediate architectural fixes.

Security teams are urged to take immediate action to reduce exposure:

• Block public internet access to MCP-connected services handling sensitive data
• Treat all MCP configuration inputs as untrusted and restrict unsafe function usage
• Install MCP servers only from verified sources such as official repositories
• Run MCP services in sandboxed environments with minimal privileges
• Monitor system activity for unusual tool execution or data exfiltration attempts
• Update or disable vulnerable services until patches are available

OX Security has introduced new detection capabilities to identify insecure MCP configurations and flag vulnerable code in enterprise environments.

The researchers also pointed to Anthropic’s recent launch of Claude Mythos, a tool designed to improve software security, urging the company to adopt a “secure by design” approach within its own MCP ecosystem.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Critical Anthropic MCP Vulnerability Enables Remote Code Execution Attacks appeared first on Cyber Security News.