Security researchers say a design flaw in Anthropic’s MCP protocol puts 200,000 servers at risk and Anthropic has declined to fix it

Researchers at Ox Security found that a root vulnerability in Anthropic's Model Context Protocol, which AI applications and agents use to connect to external data and systems, allows arbitrary OS commands to be executed on servers through MCP's STDIO transport mechanism, putting an estimated 200,000 servers at risk of complete takeover across software packages with more than 150 million downloads. Ox says it repeatedly asked Anthropic to patch the root issue and was told the behavior was “expected,” with Anthropic instead quietly updating its security guidance to recommend using STDIO adapters with caution, a change researchers say “didn't fix anything.” So far ten high and critical severity CVEs have been issued for individual tools that use MCP, but Ox argues a single architectural change at the protocol level would have protected all downstream projects, developers, and end users at once.