Contents
- What Happened: The April 15 OX Security Disclosure
- How It Works: Why STDIO Enables RCE
- Scale: 150M Downloads, 200K Servers, Claude Code Included
- The Four Attack Families
- Anthropic's Response: The Decision Not to Patch
- Ecosystem Response: Vendors That Have Patched
- Impact on Japanese SaaS and What to Do Now
- Conclusion: The New Reality of MCP Security
This article covers a real vulnerability disclosed on April 15, 2026. If you currently operate an MCP server or deploy MCP clients in production, see the action checklist.
What Happened: The April 15 OX Security Disclosure
On April 15, 2026, Israeli security firm OX Security published a report titled "The Mother of All AI Supply Chains" — a finding that a critical, systemic architectural flaw in Anthropic's Model Context Protocol (MCP) enables remote code execution (RCE) on any system running a vulnerable implementation.
This is not a coding bug in a single implementation. It is a design decision baked into the protocol itself, affecting all supported SDKs: Python, TypeScript, Java, and Rust.
According to OX Security's research, the affected scope includes more than 150 million total downloads, over 7,000 publicly accessible MCP servers, and up to 200,000 vulnerable instances in total.
OX Security Disclosure Scale (✅ Verified Across Multiple Primary Sources)
(All Language SDKs)
(Estimated)
(Directly Affected)
How It Works: Why STDIO Enables RCE
MCP uses a STDIO (standard input/output) interface to launch local server processes and communicate with them. The problem lies in how this process launch is handled: MCP's STDIO implementation executes the specified command regardless of whether the MCP server starts successfully.
In practice, this means: if a malicious command string is passed as the "MCP server launch command" in a configuration file, the command executes — even if the process fails to start. The server launch fails with an error. But the command has already run.
When an MCP configuration file (e.g., mcp_config.json) contains a malicious command, the MCP client (Claude Code, Cursor, etc.) executes that command at the moment it attempts to connect to the server. Whether the connection succeeds is irrelevant — the command execution has already completed. This enables zero-click attacks.
The core of this issue is a design pattern of "executing commands as data without validation". In standard web application security, passing user input directly to a shell is a textbook vulnerability. MCP's STDIO design does this structurally, by architecture.
Scale: 150M Downloads, 200K Servers, Claude Code Included
OX Security confirmed the following directly affected tools:
- Claude Code (Anthropic's official CLI) ✅ Confirmed affected
- Cursor (leading AI-powered IDE) ✅ Confirmed affected
- VS Code (including GitHub Copilot MCP extension) ✅ Confirmed affected
- Windsurf (Codeium's AI IDE) ✅ Confirmed affected
- Gemini-CLI (Google's MCP client) ✅ Confirmed affected
This is not an Anthropic-only problem. Every MCP client that adopted the standard protocol is affected — making this a supply chain issue that spans the entire ecosystem.
TechRepublic characterized this disclosure as "the AI era's 'Open Redirect' moment" — a reference to the classic web security vulnerability where missing URL validation opens the door to phishing and redirect attacks. Like Open Redirect, a design-level decision in a widely adopted protocol creates an attack surface across the entire ecosystem.
The Four Attack Families
OX Security classified the exploitable attack patterns into four distinct families:
Unauthenticated UI Injection
Injecting malicious MCP configuration through unauthenticated UI surfaces in popular AI frameworks. The command executes when the user adds a "server" through the affected UI.
Zero-Click Prompt Injection in AI IDEs
Confirmed in Windsurf and Cursor: simply opening a malicious repository, or having Claude read a malicious file, triggers command execution. No user click or confirmation dialog required.
Malicious Marketplace Distribution
In OX Security's testing, trial malicious MCP packages were submitted to 11 MCP registries. 9 out of 11 (82%) accepted the packages, demonstrating that distribution of trojanized MCP packages through official-looking channels is practically feasible today.
Dependency Poisoning
Injecting malicious code into the dependency graph of legitimate MCP packages. The rapid expansion of the MCP ecosystem has outpaced dependency security review in most organizations.
Anthropic's Response: The Decision Not to Patch
The most debated aspect of this story is Anthropic's official response. After receiving OX Security's report, Anthropic confirmed the STDIO behavior is "expected" and declined to modify the protocol architecture, stating that the STDIO execution model represents a secure default and that input sanitization is the developer's responsibility.
Anthropic's position is that preventing untrusted commands from appearing in MCP server configuration is a developer-side implementation responsibility — not a protocol-level concern.
Anthropic's official MCP SDK reference implementation has not been modified as of this writing. Some vendors — DocsGPT, Bisheng, LiteLLM, Upsonic — have released their own patches, but patch availability varies by vendor and there is no consistent ecosystem-wide fix. You need to check the status of each MCP client and tool your organization uses individually.
The security community has responded with a range of views. Critics argue that when an architectural decision creates supply chain risk across an ecosystem of 150M+ downloads, the protocol's designer bears responsibility for mitigation. Others hold that as an open protocol, the burden falls on individual implementors. The debate continues.
Ecosystem Response: Vendors That Have Patched
While Anthropic has not modified the reference implementation, the following vendors have issued patches for their own products (✅ Verified across multiple sources):
- DocsGPT: Fixed version released
- Bisheng: Fixed version released
- LiteLLM: Fixed version released
- Upsonic: Fixed version released
For major MCP clients — Claude Code, Cursor, VS Code, Windsurf — check each vendor's release notes for vendor-specific mitigations. Patch status may have changed since this article was published.
The MCP Registry security review situation also remains concerning. OX Security's test result — 9 of 11 registries accepting malicious trial packages — reflects the current security maturity of the MCP ecosystem.
Impact on Japanese SaaS and What to Do Now
Japanese SaaS vendors with official MCP servers currently include freee, Money Forward, kintone, Backlog, and Garoon, among others known to KanseiLink. Operators of these servers, and developers/agent operators using them, should consider the following actions.
For Vendors Operating MCP Servers
- Implement STDIO configuration validation: Add sanitization and whitelist control to the part of your MCP server that accepts configuration. Explicitly manage the list of allowed executable processes.
- Issue a security advisory: Inform users of your MCP server about safe usage in light of the OX Security disclosure.
- Audit MCP-related dependencies: Inventory all MCP-related packages (npm, PyPI, etc.) in your dependency graph and confirm there are no unverified packages.
For Developers and Agent Operators Using MCP Servers
- Update all MCP clients to the latest version: Ensure Claude Code, Cursor, VS Code, and other tools are fully updated to receive vendor-provided patches.
- Prohibit unverified MCP packages: Establish an organizational policy against adding MCP packages from npm registries or untrusted sources to agent environments. Use only official, verified MCP servers.
- Restrict write access to MCP configuration files: Ensure
mcp_config.jsonand similar configuration files cannot be modified by external content such as cloned repositories or loaded files. - Run MCP servers in sandboxed environments: Run agent-facing MCP servers inside containers or VMs to limit blast radius if a malicious command executes.
KanseiLink is evaluating the addition of security response maturity as a factor in future AEO ratings. Vendors that issue security advisories in response to the OX Security disclosure and implement STDIO configuration validation will be recognized in our security maturity dimension.
Conclusion: The New Reality of MCP Security
The OX Security disclosure surfaces a structural problem that has been building as MCP expanded into mainstream use: security was not designed in from the start, and it is now everyone's problem to retrofit.
The core issue is not a technical bug — it is a design tradeoff. Choosing an easy-to-use STDIO interface transferred the responsibility for safe usage to every developer building on MCP. Anthropic's "expected behavior" position is technically consistent with that tradeoff, but the question of responsibility for a protocol with 150M+ downloads will continue to be debated.
For Japan's SaaS and AI agent ecosystem, the critical takeaway is that this is not "Anthropic's problem" — it is everyone's problem who uses MCP. Vendors operating MCP servers and businesses deploying MCP-based agents both need to act today.
KanseiLink will continue tracking the security posture of each MCP server in our dataset and reflecting it in AEO scores.
All figures and facts in this article (150M+ downloads, 200K servers, Anthropic's "Expected Behavior" statement, vendor patch list) are verified against multiple primary sources including the OX Security blog, SecurityWeek, The Hacker News, and Infosecurity Magazine (✅). The "up to 200,000 instances" figure is OX Security's own estimate from their research report. Anthropic's patch status reflects the state at time of publication and may have been updated since.