Arbitrary Command Execution Flaw in Anthropic’s Model Context Protocol (MCP) SDKs Impacts 150M+ Downloads
Summary
Hide ▲
Show ▼
A critical architectural vulnerability in Anthropic’s Model Context Protocol (MCP) SDKs enables arbitrary command execution across systems using the protocol, exposing sensitive data, internal databases, API keys, and chat histories. The flaw stems from unchecked command execution in MCP’s STDIO interface, where commands execute regardless of process success, and affects all supported SDK languages (Python, TypeScript, Java, Rust). Over 200 open source projects, 150 million downloads, 7,000+ publicly accessible MCP servers, and up to 200,000 vulnerable instances are potentially impacted. Anthropic has declined to patch the flaw, asserting it is expected behavior and shifting responsibility to developers for sanitization. The vulnerability allows complete system takeover, creating significant risks across the AI supply chain.
Timeline
-
16.04.2026 12:40 1 articles · 4h ago
Critical Arbitrary Command Execution Flaw in MCP SDKs Exposes 150M+ Downloads
A systemic vulnerability in Anthropic’s MCP SDKs enables arbitrary command execution via unchecked STDIO interface commands, affecting all supported languages and potentially exposing sensitive data across 200 open source projects and 7,000+ public MCP servers. Anthropic has declined to patch the flaw, citing expected behavior and placing sanitization responsibility on developers. Ox Security has issued over 30 disclosures and identified 10+ critical CVEs to support remediation efforts.
Show sources
- Systemic Flaw in MCP Protocol Could Expose 150 Million Downloads — www.infosecurity-magazine.com — 16.04.2026 12:40
Information Snippets
-
The vulnerability exists in the Model Context Protocol (MCP) SDKs developed by Anthropic, affecting all supported languages (Python, TypeScript, Java, Rust).
First reported: 16.04.2026 12:401 source, 1 articleShow sources
- Systemic Flaw in MCP Protocol Could Expose 150 Million Downloads — www.infosecurity-magazine.com — 16.04.2026 12:40
-
The flaw enables arbitrary command execution via MCP’s STDIO interface, where commands execute regardless of whether the target process starts successfully, with no sanitization or warnings.
First reported: 16.04.2026 12:401 source, 1 articleShow sources
- Systemic Flaw in MCP Protocol Could Expose 150 Million Downloads — www.infosecurity-magazine.com — 16.04.2026 12:40
-
Over 200 open source projects, 150 million downloads, 7,000+ publicly accessible MCP servers, and up to 200,000 vulnerable instances are potentially exposed.
First reported: 16.04.2026 12:401 source, 1 articleShow sources
- Systemic Flaw in MCP Protocol Could Expose 150 Million Downloads — www.infosecurity-magazine.com — 16.04.2026 12:40
-
Anthropic has confirmed the behavior as "expected" and declined to patch the vulnerability, stating that sanitization is the responsibility of developers.
First reported: 16.04.2026 12:401 source, 1 articleShow sources
- Systemic Flaw in MCP Protocol Could Expose 150 Million Downloads — www.infosecurity-magazine.com — 16.04.2026 12:40
-
Ox Security has issued over 30 responsible disclosures and identified over 10 high or critical-severity CVEs to assist vulnerable open source projects in patching.
First reported: 16.04.2026 12:401 source, 1 articleShow sources
- Systemic Flaw in MCP Protocol Could Expose 150 Million Downloads — www.infosecurity-magazine.com — 16.04.2026 12:40