The MCP Protocol Has a Design Flaw, and Anthropic Says That Is Expected: 7,000 Servers, 150M Downloads, and a CVSS 9.8 in Two HTTP Requests
Written by the Rafter Team
In mid-April 2026, OX Security's research team — Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar — disclosed what they call a "critical, systemic vulnerability at the core of the Model Context Protocol." The mechanism is the STDIO transport that Anthropic's reference MCP SDKs use as their default. The protocol's STDIO server handler executes whatever command the configuration specifies, and the architectural decision propagates through every Anthropic-maintained SDK — Python, TypeScript, Java, and Rust. OX scopes the resulting exposure at more than 7,000 publicly accessible MCP servers, more than 150 million downloads across affected packages, and ten named CVEs in downstream projects including LiteLLM, LangChain, LangFlow, and Flowise.
Anthropic declined to modify the protocol, characterizing the behavior as "expected" and shifting responsibility to implementers.
Two weeks later, Pluto Security's Yotam Perkal disclosed CVE-2026-33032 (MCPwn): a CVSS 9.8 authentication bypass in nginx-ui's MCP integration that lets any network attacker rewrite Nginx configuration in two HTTP requests with zero credentials. The patch was a single line of code. Approximately 2,600 publicly exposed nginx-ui instances across 50-plus countries are vulnerable until upgraded. Active exploitation in the wild.
A second pair of CVEs in Atlassian's mcp-atlassian server — MCPwnfluence, CVE-2026-27825 and CVE-2026-27826 — completes the early-2026 disclosure cluster. SSRF plus path traversal, chained, deliver remote code execution on the same local network without authentication.
If your team operates MCP servers, pin to patched versions today: nginx-ui 2.3.4 or later (CVE-2026-33032 / MCPwn), and mcp-atlassian 0.17.0 or later (CVE-2026-27825 + CVE-2026-27826 / MCPwnfluence). Audit auth middleware on every endpoint that mutates state — the MCPwn root cause was a single missing middleware.AuthRequired() reference. Treat every MCP endpoint reachable from the network as reachable by an unauthenticated attacker until proven otherwise.
The systemic finding
OX's central claim is that an MCP server's configuration field becomes a command, and the protocol's reference implementations do nothing to break that flow.
In their own phrasing: "This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation." The mechanism: the STDIO transport's server handler executes whatever command the configuration specifies. If server creation fails, the error is returned after the command has already executed — enabling blind RCE, where the attacker doesn't even need a successful response to confirm execution.
Because the architectural decision lives in the Anthropic-maintained reference SDKs — Python, TypeScript, Java, Rust — every developer building on those SDKs inherits the same default. The OX research team scopes the exposure at more than 7,000 publicly accessible MCP servers and more than 150 million downloads across affected packages, with ten named CVEs in downstream projects including LiteLLM, LangChain, LangFlow, and Flowise.
Anthropic's position
Anthropic declined to modify the protocol architecture. The published response characterizes the behavior as "expected" and shifts responsibility to implementers.
That answer is internally consistent. A protocol designer can reasonably take the position "if you build on STDIO transport, sanitize what you put in the command field, and that is your responsibility, not the protocol's." That stance is defensible at a design-document level.
It is much less defensible operationally. The consequence is that every team building an MCP server inherits the protocol's defaults whether they intended to or not, and most teams reach for MCP because they want to ship an agent feature this quarter, not because they want to audit a transport layer. "Implementer's problem" is the right answer in a vacuum. Inside an ecosystem with 150 million downloads moving at AI-product cadence, it is a load-bearing assumption that the rest of the stack has to either honor or get burned by.
MCPwn: the protocol's "expected behavior" turning into RCE in production
Pluto Security's disclosure of CVE-2026-33032 at the end of March is the canonical example of how the OX finding plays out in implementations.
nginx-ui is a popular web UI for managing Nginx servers. It exposes an MCP integration so that AI agents can manage Nginx configuration on the user's behalf. The integration has two endpoints:
GET /mcp— establishes a Server-Sent Events session, returns a session ID. Auth middleware enforced.POST /mcp_message?sessionId=…— invokes any of 12 MCP tools, including ones that rewrite Nginx config and trigger reloads. Auth middleware skipped.
In Pluto's words: "the endpoint where every destructive operation happens skips authentication entirely."
The exploit
Two HTTP requests, zero credentials:
GET /mcpto establish an SSE session and obtain a session ID.POST /mcp_message?sessionId=<id>invoking any of the 12 tools.
The second request, on a vulnerable instance, is sufficient to rewrite Nginx config on the host. CVSS 9.8. Recorded Future risk score 94/100.
The patch
The fix in nginx-ui 2.3.4 (March 15, 2026) was a single line: an added middleware.AuthRequired() call on the /mcp_message route. Twenty-seven characters of code.
The reason this matters as a design lesson is exactly the size of the diff. It is not a complicated bug. There is no clever exploit. A developer extending an MCP integration forgot to apply the auth middleware to one route, and the protocol's surrounding framing did not cause the absence to be loud.
The exposed surface
Pluto reports approximately 2,600 publicly exposed nginx-ui instances across 50-plus countries, primarily on port 9000. Active exploitation in the wild; exploit details emerged at the end of March.
MCPwnfluence: SSRF + path traversal in mcp-atlassian
The second concrete instance is the MCPwnfluence chain in Atlassian's mcp-atlassian server.
- CVE-2026-27825 (CVSS 9.1) — server-side request forgery.
- CVE-2026-27826 (CVSS 8.2) — path traversal.
Chained, the two enable remote code execution by an attacker on the same local network without authentication. Patched in mcp-atlassian 0.17.0.
The mcp-atlassian project is the canonical bridge between an LLM agent and a customer's Atlassian workspace — Jira tickets, Confluence pages, all of it. An RCE on that server, on the LAN, is direct lateral movement from "an agent talks to Jira" to "an attacker controls the host that talks to Jira."
What this is, in pattern terms
Read the OX systemic finding, MCPwn, and MCPwnfluence as one composite picture, not three.
The protocol's default behavior is configuration becomes execution. The reference SDKs propagate that default. The implementations built on top of those SDKs ship with auth-middleware bugs (MCPwn), SSRF bugs (MCPwnfluence-1), and path-traversal bugs (MCPwnfluence-2), because the threat model on the implementer side has not caught up with the reach the protocol gives them.
This is the same shape as several recent incidents in the AI tooling space. The Codex command-injection bug from March was a string flowing into execSync inside a flagship AI coding agent — CWE-78, command injection, in a place where the surrounding product framing implied it shouldn't matter. The PyTorch Lightning compromise on April 30 was a postinstall hook flowing into a JavaScript runtime — same install-time trust assumption, different vector. MCP is the protocol-level version of the same thesis: AI-product surfaces are inheriting threat models from older, lower-level primitives, and the threat model is being underweighted because the products feel new.
The cadence is consistent. Every few weeks, a different layer of the AI stack gets a CVSS 9-class finding traceable to a primitive that was already considered solved in the pre-AI ecosystem. MCP is the protocol layer's version this month.
What to do
If you build MCP servers
- Treat any input that flows from MCP configuration into a child process or shell as adversarial. Quote, validate, and write tests that try to break out via shell metacharacters, environment-variable expansion, and Unicode lookalikes. Do not assume the STDIO transport sanitizes the command field; OX's finding is that it explicitly does not.
- Audit auth middleware on every endpoint that mutates state. Write a regression test for the "endpoint exists but middleware is missing" case — that is the MCPwn shape exactly. A linter pass that flags routes registered without an
AuthRequired(or equivalent) middleware is a valid 27-line piece of CI code today. - For SSRF and path-traversal patterns specifically, validate every URL fetched on behalf of agent input against an allowlist, and validate every file path against a known-safe prefix. The MCPwnfluence chain is the textbook reason to do both.
If you use MCP servers
- Pin to patched versions. nginx-ui 2.3.4 or later. mcp-atlassian 0.17.0 or later. Track the disclosure threads on LiteLLM, LangChain, LangFlow, and Flowise for downstream CVEs flowing from the OX finding.
- Audit which MCP servers run with privileged scope on hosts that touch production data. The blast radius of an MCP RCE is whatever the agent could do on its own, with whatever credentials the host holds.
- Inventory your agent stack's MCP dependencies the same way you'd inventory any third-party server: known versions, known maintainers, known disclosure history. "It's an MCP server, it must be safe" is the same kind of category mistake as "it's a security tool, it must be trustworthy" was for the Trivy / TeamPCP campaign earlier this quarter.
If you build agents on top of MCP
- The protocol's "expected behavior" stance means your product is the layer where the threat model lives now. Decide explicitly what your agent will and will not do with MCP-derived configuration. Decide which MCP server categories are allowed to issue destructive operations.
- Make those decisions live in code, not in implicit defaults. SDK defaults are what shipped. Yours is what runs.
How Rafter helps
Rafter's Code Analysis Engine looks for command-injection patterns, missing-auth-middleware patterns, SSRF patterns, and path-traversal patterns on every push. The diff that introduces an unsafe MCP endpoint, an unsanitized configuration flow, or a missing-auth handler is exactly where the warning is most useful — before the server is built, deployed, and counted in the next exposure scan.
Rafter does not patch the protocol. The protocol layer is upstream of any code scanner. What scanning shortens is the window between "an unsafe MCP endpoint is introduced in your repo" and "it's deployed at scale."
Closing on the gap
A protocol stance of "the behavior is expected, sanitize on your end" is defensible in isolation. It becomes a problem when the protocol is also being marketed as the standard interface between AI agents and tools, downloaded 150 million times, deployed on 7,000 publicly accessible servers, and adopted at the speed AI products ship.
The protocol is doing what it was designed to do. The product layer is the layer that has to harden — because the protocol layer has decided not to.
Further reading
- Sandworm-mode: the npm worm that injected MCP servers — what happens when the attack is to write a malicious MCP server into the developer's environment, instead of finding a bug in a real one.
- A Branch Name as RCE: OpenAI Codex and the GitHub Token It Held — same bug class (command injection) at the agent-product level rather than the protocol level.
- PyTorch Lightning, Mini Shai-Hulud, and Malware That Signs Commits as Claude Code — install-time trust assumption, parallel pattern.
Sources
- The Hacker News — Anthropic MCP Design Vulnerability Enables RCE: https://thehackernews.com/2026/04/anthropic-mcp-design-vulnerability.html
- OX Security — The Mother of All AI Supply Chains: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/
- OX Security — MCP Supply Chain Advisory: RCE Vulnerabilities Across the AI Ecosystem: https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/
- The Register — MCP design flaw puts 200k servers at risk: https://www.theregister.com/2026/04/16/anthropic_mcp_design_flaw/
- New Claw Times — MCPwn: The First Major MCP Exploit in the Wild: https://newclawtimes.com/articles/mcpwn-cve-2026-33032-nginx-ui-mcp-auth-bypass-actively-exploited/
- MCP server security review checklist
- AI security beyond prompt injection
- A year of AI developer-tool supply-chain attacks