Full Report
Cybersecurity researchers have discovered a critical "by design" weakness in the Model Context Protocol's (MCP) architecture that could pave the way for remote code execution and have a cascading effect on the artificial intelligence (AI) supply chain. "This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to
Analysis Summary
# Vulnerability: Anthropic Model Context Protocol (MCP) Design-Level RCE
## CVE Details
- **CVE ID:** Multiple (Systemic architectural flaw). Primary identifiers include:
- **CVE-2025-65720** (GPT Researcher)
- **CVE-2026-30623** (LiteLLM)
- **CVE-2026-40933** (Flowise)
- **CVE-2026-26015** (DocsGPT)
- **CVE-2025-54136** (Cursor)
- **CVSS Score:** Critical (Specific scores vary by implementation, typically 9.0+)
- **CWE:** CWE-78 (OS Command Injection), CWE-440 (Expected Behavior Violation)
## Affected Systems
- **Products:** Anthropic MCP SDKs (Python, TypeScript, Java, Rust) and downstream integrations.
- **Affected Integrations:** LiteLLM, LangChain, LangFlow, Flowise, LettaAI, LangBot, GPT Researcher, Agent Zero, Fay Framework, Bisheng, Langchain-Chatchat, Jaaz, Upsonic, Windsurf, DocsGPT, LibreChat, and Cursor.
- **Versions:** All implementations using the default STDIO transport interface prior to April 2026.
- **Configurations:** Systems utilizing the standard input/output (STDIO) transport interface to connect LLMs to local tools or servers.
## Vulnerability Description
The flaw is a "by design" weakness in how the Model Context Protocol (MCP) handles configuration via the **STDIO transport interface**. The protocol allows for direct configuration-to-command execution. While intended to start local STDIO servers for LLMs, the implementation lacks validation, allowing the transport mechanism to execute arbitrary operating system commands. If a command successfully creates an STDIO server, it returns a handle; if an attacker provides a malicious command, the system executes it and returns an error only *after* execution.
This is compounded by "zero-click" prompt injection risks, where an LLM might be tricked into modifying its own MCP configuration to include malicious commands.
## Exploitation
- **Status:** PoC available / Exploited in the wild (per researcher analysis of 7,000+ servers).
- **Complexity:** Low
- **Attack Vector:** Network (via prompt injection or unauthenticated API requests to MCP-enabled services).
## Impact
- **Confidentiality:** High (Access to sensitive user data, internal databases, and API keys).
- **Integrity:** High (Ability to execute arbitrary commands and modify system files).
- **Availability:** High (Potential for system-wide compromise or service disruption).
## Remediation
### Patches
Anthropic has declared the behavior "expected" and has not modified the core protocol. However, individual vendors have released patches:
- **LiteLLM:** Patched in recent versions (see CVE-2026-30623).
- **DocsGPT:** Patched (see CVE-2026-26015).
- **Bisheng:** Patched (see CVE-2026-33224).
- Users should update any AI orchestration framework (LangChain, Flowise, etc.) to the latest 2026 versions immediately.
### Workarounds
- **Sandboxing:** Run all MCP-enabled services and tool-use environments in isolated containers or sandboxes.
- **Input Validation:** Treat all external MCP configuration inputs as untrusted.
- **Restrict Access:** Block public IP access to internal MCP services.
## Detection
- **Indicators of Compromise:** Unexpected child processes spawned by AI middleware; unusual outbound network traffic from LLM "tool" environments; presence of OS commands in MCP configuration logs.
- **Detection Methods:** Monitor for "STDIO" transport configuration changes within AI application logs. Audit `mcp_config.json` files for unauthorized command strings.
## References
- hxxps://thehackernews[.]com/2026/04/anthropic-mcp-design-vulnerability.html
- hxxps://www.ox[.]security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/
- hxxps://nvd.nist[.]gov/vuln/detail/CVE-2026-30623