Your MCP server is a shell. Anthropic calls it expected.
OX Security found an RCE in the official MCP SDK. Anthropic calls it expected. Here is how you know if you got owned, and the playbook to lock it down.
Anthropic shipped an RCE in MCP and called it expected.
"Shifting responsibility to implementers does not transfer the risk." That is OX Security, describing the hole they found under the Model Context Protocol that half the agent ecosystem now runs on.
In April, four OX Security researchers published a design flaw in the official MCP SDK across all four languages it ships in: Python, TypeScript, Java, and Rust. The STDIO transport, the part that launches a local tool server, will also run arbitrary OS commands if it can be steered. Hand it a real command, it returns a handle. Hand it a different one, it runs that too, then returns an error after the damage is done.
Scale, per the Cloud Security Alliance: more than 7,000 publicly reachable MCP servers, an estimated 200,000 vulnerable instances overall, across packages with 150 million-plus downloads.
Anthropic's answer was that it works as intended. They declined to change the reference implementation and called the behavior expected. So every project built on the official SDK inherited the risk, and the cleanup is now your problem.
Then May rolled in. CVE-2026-33032 hit nginx-ui's MCP endpoint at CVSS 9.8, an unauthenticated full takeover, 2,600-plus instances exposed at disclosure. The CSA counted at least seven confirmed high or critical MCP CVEs in tools builders actually run. The NSA published an MCP security sheet. When the NSA writes you a memo about your tool transport, the grace period is over.
The hit list
Each link goes to the advisory. The cluster all traces back to the same STDIO trust boundary.
LiteLLM ([CVE-2026-30623](https://nvd.nist.gov/vuln/detail/CVE-2026-30623)). Critical. Command injection through MCP. Patched.
Windsurf ([CVE-2026-30615](https://nvd.nist.gov/vuln/detail/CVE-2026-30615)). High. Unpatched as of May.
Cursor, MCPoison ([CVE-2025-54136](https://nvd.nist.gov/vuln/detail/CVE-2025-54136)). A saved MCP config quietly rewritten after you approved it. Patched in 1.3.
LibreChat ([CVE-2026-22252](https://nvd.nist.gov/vuln/detail/CVE-2026-22252)). High. Patched.
MCP Inspector ([CVE-2025-49596](https://nvd.nist.gov/vuln/detail/CVE-2025-49596)). First of the cluster. Patched.
nginx-ui ([CVE-2026-33032](https://nvd.nist.gov/vuln/detail/CVE-2026-33032)). CVSS 9.8. Unauthenticated takeover. 2,600-plus exposed.
Flowise, Agent Zero, Upsonic, GPT Researcher, and a dozen more sit in the same OX writeup. The list is still growing.
Config to command
MCP is how your agent reaches its tools. A local tool runs over STDIO, which is just a process your agent starts. The config that says start this server can be bent into run this command. Anyone who can influence that config can run code on the box.
Two different things are getting mashed together in the headlines, so be honest about the threat model. One is the design flaw the vendor shipped and everyone downstream inherited: the STDIO transport. The other is what a builder leaves open, like an MCP server bound to a public IP, a tool descriptor pulled from an untrusted marketplace, or a config your agent is allowed to edit because you wired it that way. The first is not your fault. The second is. Both end the same way, with someone else's command running at your agent's authority.
And the trigger does not need a human in the chair. The same window includes zero-click prompt injection: a poisoned descriptor or a malicious string in something your agent reads, and the config gets edited for you.
How would you know you got owned
Look for an MCP server bound to anything other than localhost. Outbound connections from a tool process you do not recognize. Edits to ~/.claude/settings.json, .cursor/, or .vscode/mcp.json you did not make. A local tool server spawning curl, wget, or a shell. Quick first pass:
grep -rEi "curl|wget|bash -c|sh -c|/tmp/" ~/.claude/ ~/.cursor/ .vscode/ 2>/dev/null
If the answer is yes
Kill the server. Pull the box off the network before you debug it. Revoke, not rotate, every credential that process could see: API keys, tokens, cloud creds, the .env it could read. Diff your MCP configs against a known-good commit. Sweep history with gitleaks. Assume anything the agent could reach is already in someone else's hands.
The move
The playbook the survivors used. None of it is exotic.
Treat every MCP server as an untrusted third party. That is the CSA's line, not ours.
Never expose an MCP server on a public interface. Bind to localhost. Sandbox the process.
Pin SDK and client versions. Patch LiteLLM, Cursor, and LibreChat now. Windsurf when the fix lands.
Allowlist tools. Restrict what the agent can call with --allowed-tools or your vendor's equivalent.
Authorize at the data layer, not the model layer. The model will get talked into it. The data layer will not.
Human in the loop on anything destructive. No silent shell, file write, or deploy.
Treat every input as hostile: tool descriptors, marketplace listings, PR titles, URLs, the output of other agents.
You are a security reviewer auditing my repo and local agent setup for the 2026 MCP STDIO command-execution class (OX Security disclosure; CVE-2026-33032, CVE-2026-30623, CVE-2026-30615, CVE-2025-54136, CVE-2026-22252, CVE-2025-49596). Report findings with file paths and line numbers.
1. Find every MCP server config (~/.claude/settings.json, .cursor/, .vscode/mcp.json, any *.mcp.json, docker-compose, k8s manifests). List each server, its transport (stdio or http), and whether it binds to anything other than localhost.
2. Flag any MCP server reachable on a public interface (0.0.0.0 or a routable host) as critical.
3. Flag any server whose command, args, or env can be influenced by untrusted input (PR titles, issue bodies, web fetches, marketplace descriptors, other agents).
4. List SDK and client versions (mcp Python, TypeScript, Java, Rust, plus LiteLLM, Cursor, LibreChat, Windsurf, Flowise) and check each against the known-vulnerable versions for the CVEs above.
5. Identify any tool that performs a destructive action (shell, file write, deploy, db write) without a human-in-the-loop gate.
6. Output a prioritized fix list: pin or patch, bind to localhost, sandbox, allowlist tools, add approval gates, revoke any credential a vulnerable server could read.
Do not execute fixes. Report only.
The protocol won, then it shipped a shell.
When the vendor calls an RCE expected and the NSA starts writing memos, the tutorial you copied your MCP config from is not coming to save you.
Run Composed on your last 10 PRs.
Apply for design partner access and we’ll show which findings are real, exploitable, and worth fixing — free.
Run it on 10 PRs →