A serious design flaw within Anthropic‘s Model Context Protocol (MCP) has been revealed, putting approximately 200,000 servers at risk of complete takeover. This vulnerability has been highlighted by the Ox research team, which claims to have repeatedly urged Anthropic to address the issue.
Details of the Vulnerability
The researchers assert that the flaw is either a bug or an expected behavior stemming from a poor design choice. Despite the identification of ten high- and critical-severity Common Vulnerabilities and Exposures (CVEs) related to various open-source tools and AI agents utilizing MCP, Anthropic has maintained that the protocol functions as intended.
Impact on Software Packages
According to Ox, a root patch could have mitigated risks across software packages with over 150 million downloads, thereby protecting millions of downstream users. However, Anthropic declined to modify the protocol’s architecture, labeling the behavior as ‘expected.’ The researchers detailed their findings in a blog post, which followed a series of responsible disclosure processes that began in November 2025.
Types of Vulnerabilities Identified
The Ox team outlined four primary types of vulnerabilities associated with MCP. The first includes both unauthenticated and authenticated command injection, enabling attackers to execute user-controlled commands on servers without proper authentication. This could lead to total system compromise, affecting any AI framework with a public-facing user interface.
Another vulnerability involves command injection with hardening bypass, allowing attackers to circumvent protections meant to restrict command execution. The third type permits zero-click prompt injection across various AI integrated development environments (IDEs) and coding assistants, with only one CVE issued for this category. Finally, the fourth vulnerability can be exploited through MCP marketplaces, where researchers successfully poisoned nine out of eleven marketplaces.
Anthropic’s Response
In response to the initial report, Anthropic quietly updated its security policy, advising caution when using MCP adapters, particularly STDIO ones. However, the Ox researchers noted that this update did not rectify the underlying issues. They argue that Anthropic has a responsibility to ensure MCP is secure by default, suggesting that a single architectural change could have safeguarded all downstream projects and users relying on MCP.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
