Top 5 · 2026-06-17 · source-backed
The MCP supply chain has a hole in the floor, and it's being exploited right now
Story
OX Security disclosed a systemic vulnerability on June 16 in core Model Context Protocol implementations that enables arbitrary command execution, exposing API keys, internal databases, and chat histories on any vulnerable MCP host. This isn't one bad server. It's a protocol-level flaw, and it lands in the middle of a wave. VIPER-MCP swept around 40,000 repos and produced 67 CVEs. Akamai disclosed three database-MCP flaws. The NSA published lockdown guidance. Censys counted 12,520 internet-reachable MCP services, most of them unauthenticated.
Read that last number again. Twelve thousand MCP servers reachable from the open internet, most with no auth. MCP is the integration surface everyone's racing to adopt, the thing CircleCI, Microsoft, and Google all shipped against this week, and a big chunk of deployed instances are wide open.
It gets worse when you chain it. CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog amid confirmed in-the-wild attacks. It's a command-injection flaw, CVSS 8.7, in the LiteLLM gateway used by CrewAI, DSPy, Microsoft GraphRAG, and a long list of agent frameworks. Two MCP-preview endpoints accept full stdio server configs, command, args, env, and chaining that with the Starlette "BadHost" auth bypass, CVE-2026-48710, gets you unauthenticated remote code execution. That path leaks your model-provider API keys and opens lateral movement across your stack.
If you self-host an LLM gateway, this is your afternoon. Fixes shipped in LiteLLM v1.83.7 and Starlette 1.0.1+. Patch both. Then rotate every provider key that touched a vulnerable instance, because "confirmed in-the-wild" means assume compromise, not theoretical risk. Audit and authenticate every MCP server in your agent stack. The convenience of MCP, that anything can plug into anything, is exactly what makes it a near-perfect supply-chain target. We solved this in package management with signing and scanning. The MCP ecosystem is shipping integrations faster than it's shipping the security primitives to make them safe. Don't wait for the ecosystem to catch up. Lock yours down now.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / Earlier coverage
CISA Confirms: Your AI Security Scanner Got Backdoored. Federal Deadline Is April 8.
Both cover Audit, CISA, CVE, CVEs; overlapping topics (chain, litellm); earlier Audit coverage from 2026-03-28.
Shared entities / Shared topic / Earlier coverage / Tension
MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth
Both cover Audit, CVE, CVEs, CVSS; overlapping topics (auth, chain, server); earlier Audit coverage from 2026-03-23.
Shared entities / Same source domain / Shared topic / Earlier coverage
MCP STDIO transport enables arbitrary command execution across 11 CVEs, 7,000+ servers, 150M+ package downloads.
Both cover CVE, CVEs, LiteLLM, MCP; reported by the same outlet (thehackernews.com); overlapping topics (agent, command, execution, server).
Shared entities / Shared topic / Earlier coverage
The Agent Security Crisis Is Here: 36% of ClawHub Skills Malicious, 30+ MCP CVEs, RCE in Microsoft Agent Framework
Both cover Audit, CVE, CVEs, CVSS; overlapping topics (agent, chain, microsoft); earlier Audit coverage from 2026-03-05.
Bitdefender Quantifies MCP Security Crisis: 53% Static Credentials, 8.5% OAuth
Both cover Audit, CVE, CVEs, CVSS; overlapping topics (chain, server); earlier Audit coverage from 2026-02-22.
MCP's attack surface keeps widening: 1,467 exposed servers, 67 CVEs from one automated sweep.
Both cover Censys, CVEs, CVSS, MCP; overlapping topics (auth, flaw, server); earlier Censys coverage from 2026-06-08.
MCP server sprawl is now the dominant agent supply-chain risk: 12,520 exposed services, ~40% with no auth.
Both cover Akamai, Censys, CVEs, MCP; overlapping topics (agent, auth, server); earlier Akamai coverage from 2026-06-05.
Shared entities / Earlier coverage
10 Skills of the Day
Both cover Audit, CISA, CVSS, LiteLLM; earlier Audit coverage from 2026-03-25.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — June 17, 2026
- AI generated
- no
- Story unit
- 2026-06-17-the-mcp-supply-chain-has-a-hole-in-the-floor-and-it-s-being-exploited-right-now
- Labels
- source-backed, canonical briefing excerpt