‘This is not a traditional coding error’: Experts flag potentially critical security issues at the heart of Anthropic’s MCP, exposes 150 million downloads and thousands of servers to complete takeover
- Ox researchers warn Anthropic’s Model Context Protocol has systemic RCE flaw
- Vulnerability baked into MCP SDKs across Python, TypeScript, Java, Rust
- 200,000+ instances exposed; Anthropic says behavior is “expected”
Security researchers Ox have claimed Anthropic’s Model Context Protocol (MCP) contains a “critical, systemic vulnerability” which puts hundreds of thousands of instances at risk of remote code execution (RCE).
Anthropic, on the other hand, allegedly said the system works as intended.
MCP is a standard that lets AI tools securely connect to external data sources and apps. It is a vital component of any model because without it, it can only rely on the data it was trained on. The standard is used by both AI companies and developers building AI tools, and it is seen in both OpenAI and DeepMind products, as well as Anthropic’s own Claude apps.
Article continues below
Millions are affected
In its findings, Ox researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar, said that what they found in MCP was not a “traditional coding error”, but an “architectural design decision baked into Anthropic’s official MCP SDKs across every supported programming language, including Python, TypeScript, Java, and Rust.”
“Any developer building on the Anthropic MCP foundation unknowingly inherits this exposure,” they warned.
Ox said the flaw can be triggered in different ways, from unauthenticated UI injection, to hardening bypasses in “protected environments”; and from zero-click prompt injection in leading AI IDEs, to malicious marketplace distributions.
They claim to have successfully executed commands on six live production platforms and identified critical vulnerabilities in “industry staples like LiteLLM, LangChain, and IBM’s LangFlow.”
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The researchers said more than 7,000 publicly accessible servers and up to 200,000 instances are now vulnerable. So far, they’ve issued 10 CVEs and helped remedy the bugs. “However, the root cause remains unaddressed at the protocol level.”
Ox also said it reached out to Anthropic and recommended root patches, to which the company said the MCP’s behavior is “expected”.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
Ox researchers warn Anthropic’s Model Context Protocol has systemic RCE flaw Vulnerability baked into MCP SDKs across Python, TypeScript, Java, Rust 200,000+ instances exposed; Anthropic says behavior is “expected” Security researchers Ox have claimed Anthropic’s Model Context Protocol (MCP) contains a “critical, systemic vulnerability” which puts hundreds of thousands of…
Recent Posts
- The Dimplex FlexBlade Multi-Directional Bladeless Fan looks like it’s part of a plane, but despite its propeller-like design it may struggle to cool your aircraft hangar
- Dave Eggers told OpenAI staff that ChatGPT was ‘silencing an entire generation’
- France doubles down on restricting access to Polymarket
- Apple has banned home service content on upcoming Maps ads
- Google might not kneecap the Pixel 11a with an old processor
Archives
- July 2026
- June 2026
- May 2026
- April 2026
- March 2026
- February 2026
- January 2026
- December 2025
- November 2025
- October 2025
- September 2025
- August 2025
- July 2025
- June 2025
- May 2025
- April 2025
- March 2025
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023