MCP STDIO arbitrary command execution security flaw
Vulnerability
Summary
Hide ▲
Show ▼
A critical MCP flaw in the STDIO interface can trigger arbitrary command execution, putting connected AI systems at risk of data exposure and system takeover. The issue affects Anthropic's official MCP SDKs across Python, TypeScript, Java, and Rust and can expose sensitive user data, internal databases, API keys, and chat histories. The reported blast radius reaches over 200 open source projects, 150 million downloads, 7000+ publicly accessible servers, and up to 200,000 vulnerable instances. Anthropic reportedly said the behavior is by design and declined to change the protocol, leaving remediation to developers.
Related Happenings
Anthropic Claude Code usage-limits bug causing faster exhaustion
Service Disruption
First: 01.04.2026 03:32
Last: 01.04.2026 03:32
Sources 1
About this happening:
Anthropic is investigating a **Claude Code** bug that makes **usage limits** exhaust much faster than expected, leaving affected users blocked from normal use. The issue was still...
Anthropic Claude Code usage-limits bug causing faster exhaustion
Service DisruptionAbout this happening: Anthropic is investigating a **Claude Code** bug that makes **usage limits** exhaust much faster than expected, leaving affected users blocked from normal use. The issue was still...
Anthropic Claude Code code injection and API key disclosure flaws (multiple vulnerabilities)
Vulnerability
First: 25.02.2026 19:00
Last: 25.02.2026 19:00
Sources 1
About this happening:
**Anthropic's Claude Code** has multiple disclosed flaws that can enable **remote code execution** and **API key theft** when developers open **untrusted repositories**. The issue...
Anthropic Claude Code code injection and API key disclosure flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **Anthropic's Claude Code** has multiple disclosed flaws that can enable **remote code execution** and **API key theft** when developers open **untrusted repositories**. The issue...
SANDWORM_MODE supply-chain worm targeting AI assistant configs
Malware Activity
First: 23.02.2026 18:00
Last: 23.02.2026 18:00
Sources 1
About this happening:
The **SANDWORM_MODE** worm is spreading through **malicious npm packages**, stealing **developer and CI credentials** and injecting rogue **MCP servers** into AI assistant configu...
SANDWORM_MODE supply-chain worm targeting AI assistant configs
Malware ActivityAbout this happening: The **SANDWORM_MODE** worm is spreading through **malicious npm packages**, stealing **developer and CI credentials** and injecting rogue **MCP servers** into AI assistant configu...
Ghostscript OpenSC and CGIF memory corruption flaws memory corruption flaw
Vulnerability
First: 06.02.2026 07:49
Last: 06.02.2026 07:49
Sources 1
About this happening:
**Ghostscript**, **OpenSC**, and **CGIF** were among the open-source libraries affected by a newly disclosed batch of **more than 500 previously unknown high-severity flaws**. The...
Ghostscript OpenSC and CGIF memory corruption flaws memory corruption flaw
VulnerabilityAbout this happening: **Ghostscript**, **OpenSC**, and **CGIF** were among the open-source libraries affected by a newly disclosed batch of **more than 500 previously unknown high-severity flaws**. The...
Mcp-server-git path traversal and argument injection flaws (multiple vulnerabilities)
Vulnerability
First: 20.01.2026 15:55
Last: 20.01.2026 15:55
Sources 1
About this happening:
**Anthropic's mcp-server-git** now has **three disclosed vulnerabilities** that can enable **arbitrary file read/delete** and **code execution** in affected deployments. The issue...
Mcp-server-git path traversal and argument injection flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **Anthropic's mcp-server-git** now has **three disclosed vulnerabilities** that can enable **arbitrary file read/delete** and **code execution** in affected deployments. The issue...
Timeline
-
16.04.2026 12:40 2 articles · 1mo ago
Ox Security discloses MCP STDIO command execution flaw
Initial DisclosureOx Security disclosed a critical, systemic flaw in Anthropic’s model context protocol (MCP) that could allow arbitrary command execution through the STDIO interface and expose sensitive user data, internal databases, API keys, and chat histories across Anthropic’s official MCP SDKs in Python, TypeScript, Java, and Rust. The exposure was described as an architectural design decision, with Anthropic reportedly saying the behavior was by design and declining to modify the protocol; Ox Security said the issue could affect over 200 open source projects, 150 million downloads, 7000+ publicly accessible servers, and up to 200,000 vulnerable instances.
Show sources
- Systemic Flaw in MCP Protocol Could Expose 150 Million Downloads — www.infosecurity-magazine.com — 16.04.2026 12:40
- Systemic Flaw in MCP Protocol Could Expose 150 Million Downloads — www.infosecurity-magazine.com — 16.04.2026 12:40