← The Wire

Top 5 · 2026-06-17 · source-backed

The MCP supply chain has a hole in the floor, and it's being exploited right now

Confidence
source-backed
Sources
2
Redaction
redacted

Story

OX Security disclosed a systemic vulnerability on June 16 in core Model Context Protocol implementations that enables arbitrary command execution, exposing API keys, internal databases, and chat histories on any vulnerable MCP host. This isn't one bad server. It's a protocol-level flaw, and it lands in the middle of a wave. VIPER-MCP swept around 40,000 repos and produced 67 CVEs. Akamai disclosed three database-MCP flaws. The NSA published lockdown guidance. Censys counted 12,520 internet-reachable MCP services, most of them unauthenticated.

Read that last number again. Twelve thousand MCP servers reachable from the open internet, most with no auth. MCP is the integration surface everyone's racing to adopt, the thing CircleCI, Microsoft, and Google all shipped against this week, and a big chunk of deployed instances are wide open.

It gets worse when you chain it. CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog amid confirmed in-the-wild attacks. It's a command-injection flaw, CVSS 8.7, in the LiteLLM gateway used by CrewAI, DSPy, Microsoft GraphRAG, and a long list of agent frameworks. Two MCP-preview endpoints accept full stdio server configs, command, args, env, and chaining that with the Starlette "BadHost" auth bypass, CVE-2026-48710, gets you unauthenticated remote code execution. That path leaks your model-provider API keys and opens lateral movement across your stack.

If you self-host an LLM gateway, this is your afternoon. Fixes shipped in LiteLLM v1.83.7 and Starlette 1.0.1+. Patch both. Then rotate every provider key that touched a vulnerable instance, because "confirmed in-the-wild" means assume compromise, not theoretical risk. Audit and authenticate every MCP server in your agent stack. The convenience of MCP, that anything can plug into anything, is exactly what makes it a near-perfect supply-chain target. We solved this in package management with signing and scanning. The MCP ecosystem is shipping integrations faster than it's shipping the security primitives to make them safe. Don't wait for the ecosystem to catch up. Lock yours down now.


Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Shared topic / Earlier coverage

    CISA Confirms: Your AI Security Scanner Got Backdoored. Federal Deadline Is April 8.

    Both cover Audit, CISA, CVE, CVEs; overlapping topics (chain, litellm); earlier Audit coverage from 2026-03-28.

  2. Shared entities / Shared topic / Earlier coverage / Tension

    MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth

    Both cover Audit, CVE, CVEs, CVSS; overlapping topics (auth, chain, server); earlier Audit coverage from 2026-03-23.

  3. Shared entities / Same source domain / Shared topic / Earlier coverage

    MCP STDIO transport enables arbitrary command execution across 11 CVEs, 7,000+ servers, 150M+ package downloads.

    Both cover CVE, CVEs, LiteLLM, MCP; reported by the same outlet (thehackernews.com); overlapping topics (agent, command, execution, server).

  4. Shared entities / Shared topic / Earlier coverage

    The Agent Security Crisis Is Here: 36% of ClawHub Skills Malicious, 30+ MCP CVEs, RCE in Microsoft Agent Framework

    Both cover Audit, CVE, CVEs, CVSS; overlapping topics (agent, chain, microsoft); earlier Audit coverage from 2026-03-05.

  5. Bitdefender Quantifies MCP Security Crisis: 53% Static Credentials, 8.5% OAuth

    Both cover Audit, CVE, CVEs, CVSS; overlapping topics (chain, server); earlier Audit coverage from 2026-02-22.

  6. MCP's attack surface keeps widening: 1,467 exposed servers, 67 CVEs from one automated sweep.

    Both cover Censys, CVEs, CVSS, MCP; overlapping topics (auth, flaw, server); earlier Censys coverage from 2026-06-08.

  7. MCP server sprawl is now the dominant agent supply-chain risk: 12,520 exposed services, ~40% with no auth.

    Both cover Akamai, Censys, CVEs, MCP; overlapping topics (agent, auth, server); earlier Akamai coverage from 2026-06-05.

  8. Shared entities / Earlier coverage

    10 Skills of the Day

    Both cover Audit, CISA, CVSS, LiteLLM; earlier Audit coverage from 2026-03-25.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-06-17-the-mcp-supply-chain-has-a-hole-in-the-floor-and-it-s-being-exploited-right-now
Labels
source-backed, canonical briefing excerpt