Security researchers warn 200,000 MCP servers are vulnerable to command injection

Anthropic created the Model Context Protocol as the open standard for AI agent-to-tool communication. OpenAI adopted it in March 2025. Google DeepMind followed. Anthropic donated MCP to the Linux Foundation in December 2025. Downloads crossed 150 million. Then four researchers at OX Security found an architectural problem that affects all of them. MCP's STDIO transport, the default for connecting an AI agent to a local tool, executes any operating system command it receives with no sanitization and no execution boundary between configuration and command. A malicious command returns an error after the command has already run. The developer toolchain raises no flag. OX Security researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok and Roni Bar scanned the ecosystem and found 7,000 servers on public internet protocol addresses with STDIO transport active. They estimate 200,000 total vulnerable instances extrapolated from that ratio. They confirmed arbitrary command execution on six live production platforms with paying customers. The research produced more than 10 common vulnerabilities and exposures rated high or critical across LiteLLM, LangFlow, Flowise, Windsurf, LangChain-Chatchat, Bisheng, DocsGPT, GPT Researcher, Agent Zero, and LettaAI. Kevin Curran, an Institute of Electrical and Electronics Engineers senior member and professor of cybersecurity at Ulster University, independently told Infosecurity Magazine the research exposed a shocking gap in the security of foundational AI infrastructure. Anthropic confirmed the behavior is If teams deployed any MCP-connected AI agent using the default STDIO transport, they are exposed. The insecurity is not a coding bug in any single product. It is a design default in Anthropic's MCP specification that propagated into every official language software development kit: Python, TypeScript, Java, and Rust. Every downstream project that trusted the protocol inherited it. OX identified four exploitation families. Unauthenticated command injection through AI framework web interfaces was demonstrated against LangFlow and LiteLLM.