# Security researchers warn 200,000 MCP servers are vulnerable to command injection _Friday, May 1, 2026 at 8:44 PM EDT · AI, Cybersecurity · Latest · Tier 1 — Major_ ![Security researchers warn 200,000 MCP servers are vulnerable to command injection — Primary](https://images.ctfassets.net/jdtwqhzvc2n1/5zcdzz8S6R9xMQCRiaArOG/1290a9dbaee30dd37a47fefa5b656922/ANTHROPIC.png?w=800&q=75) Anthropic created the Model Context Protocol as the open standard for AI agent-to-tool communication. OpenAI adopted it in March 2025. Google DeepMind followed. Anthropic donated MCP to the Linux Foundation in December 2025. Downloads crossed 150 million. Then four researchers at OX Security found an architectural problem that affects all of them. MCP's STDIO transport, the default for connecting an AI agent to a local tool, executes any operating system command it receives with no sanitization and no execution boundary between configuration and command. A malicious command returns an error after the command has already run. The developer toolchain raises no flag. OX Security researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok and Roni Bar scanned the ecosystem and found 7,000 servers on public internet protocol addresses with STDIO transport active. They estimate 200,000 total vulnerable instances extrapolated from that ratio. They confirmed arbitrary command execution on six live production platforms with paying customers. The research produced more than 10 common vulnerabilities and exposures rated high or critical across LiteLLM, LangFlow, Flowise, Windsurf, LangChain-Chatchat, Bisheng, DocsGPT, GPT Researcher, Agent Zero, and LettaAI. Kevin Curran, an Institute of Electrical and Electronics Engineers senior member and professor of cybersecurity at Ulster University, independently told Infosecurity Magazine the research exposed a shocking gap in the security of foundational AI infrastructure. Anthropic confirmed the behavior is by design and declined to modify the protocol. The company characterized STDIO's execution model as a secure default and input sanitization as the developer's responsibility. OX says expecting 200,000 developers to sanitize inputs correctly is the problem. Anthropic's strongest technical counter is that sanitizing STDIO would either break the transport or move the payload one layer down. If teams deployed any MCP-connected AI agent using the default STDIO transport, they are exposed. The insecurity is not a coding bug in any single product. It is a design default in Anthropic's MCP specification that propagated into every official language software development kit: Python, TypeScript, Java, and Rust. Every downstream project that trusted the protocol inherited it. OX identified four exploitation families. Unauthenticated command injection through AI framework web interfaces was demonstrated against LangFlow and LiteLLM. ## Sources - [VentureBeat](https://venturebeat.com/security/mcp-stdio-flaw-200000-ai-agent-servers-exposed-ox-security-audit) --- Canonical: https://techandbusiness.org/newswire/B6qUbx5V3vkkKCjzbOvjFt Retrieved: 2026-05-02T03:27:36.645Z Publisher: Tech & Business (techandbusiness.org)