← The Wire

Top 5 · 2026-06-15 · source-backed

OX Security found a systemic RCE baked into Anthropic's official MCP SDKs, every language

Confidence
source-backed
Sources
2
Redaction
passed

Story

A single architectural decision, replicated across Python, TypeScript, Java, and Rust, sitting at the center of the protocol most agent builders now run. OX Security's research team disclosed a critical vulnerability in the official Model Context Protocol SDKs that enables arbitrary command execution on any system running a vulnerable MCP implementation, exposing internal databases, API keys, and chat histories (OX Security).

The detail that matters: they frame it as a design decision present across every supported language SDK, not a single-language bug. This isn't "patch one package." It's "the shape of the thing has a hole in it." It's also distinct from the back-end-connector and unauthenticated-server vulnerability classes already reported this year, so if you patched for those and moved on, you're not covered.

MCP went from a clever Anthropic protocol to the de facto tool layer for the entire agent ecosystem in about eighteen months. That speed is exactly why this hurts. We bolted MCP servers onto everything, often self-hosted, often connecting agents to the most sensitive systems we own, because the protocol made it trivial. Trivial to connect is also trivial to attack. The same composability that made MCP win is the composability that makes one architectural flaw a fleet-wide problem.

What builders should do today, in order: inventory every MCP server you run, especially self-hosted ones touching databases, secrets, or production. Check whether they're reachable from anything you don't fully trust. Update the SDK the moment Anthropic ships the fix, and assume the window between disclosure and your patch is a window someone is scanning. Longer term, the answer is the zero-trust MCP gateway pattern that's been converging in the security writeups all year. Never let a third-party tool description flow straight into your model's context. Inspect and template every tool schema at a control point outside the client, the way a load balancer treats inbound HTTP (Practical DevSecOps). A security disclosure and an adoption pattern landing in the same week is the signal. Treat tool schemas as untrusted ingress now, not after your next incident.


Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Shared topic / Earlier coverage

    MCP STDIO transport enables arbitrary command execution across 11 CVEs, 7,000+ servers, 150M+ package downloads.

    Both cover Anthropic, Java, MCP, OX Security; overlapping topics (agent, anthropic, context); earlier Anthropic coverage from 2026-04-30.

  2. Shared entities / Shared topic / Earlier coverage / Tension

    MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth

    Both cover Anthropic, HTTP, MCP, RCE; overlapping topics (security, tool); earlier Anthropic coverage from 2026-03-23.

  3. Shared entities / Same source domain / What happened next

    MCPJam and nginx-ui Ship 9.8 RCE Bugs

    Both cover Check, HTTP, MCP, Practical DevSecOps; reported by the same outlet (practical-devsecops.com); picks up the Check thread on 2026-07-01.

  4. Shared entities / Shared topic / Earlier coverage

    Google ADK TypeScript GA.

    Both cover Java, MCP, Python, SDK; overlapping topics (agent, protocol); earlier Java coverage from 2026-03-17.

  5. Shared entities / Same source domain / Earlier coverage

    Windsurf prompt-injection RCE: attacker HTML can register a malicious MCP server.

    Both cover MCP, OX Security, RCE, Treat; reported by the same outlet (ox.security); earlier MCP coverage from 2026-06-05.

  6. Shared entities / Shared topic / Earlier coverage

    Bun Merged a Million Lines of AI-Generated Rust. Language Lock-In Is Over.

    Both cover Java, Python, Rust, TypeScript; overlapping topics (agent, language); earlier Java coverage from 2026-05-15.

  7. Claude Desktop Extensions CVSS 10 Zero-Click RCE — Anthropic Declined to Fix.

    Both cover Anthropic, MCP, RCE, Treat; overlapping topics (anthropic, builder); earlier Anthropic coverage from 2026-03-01.

  8. Shared entities / Same source domain / Shared topic / What happened next

    Johns Hopkins Hijacked AI Coding Agents in CI Tests

    Both cover MCP, Never, Practical DevSecOps; reported by the same outlet (practical-devsecops.com); overlapping topics (agent, context).

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-06-15-ox-security-found-a-systemic-rce-baked-into-anthropic-s-official-mcp-sdks-every-language
Labels
source-backed, canonical briefing excerpt