SECURITYWEEK reports that a flaw described as architectural in Anthropic’s Model Context Protocol (MCP) could allow unsanitised commands to run via the STDIO interface, potentially giving an attacker full control of a user’s computer across widely used AI environments. According to OX Security, the exploit occurs because the command is executed even if the local server process fails to start, with no sanitisation warnings or red flags in the developer toolchain.
Since MCP was introduced by Anthropic in November 2024, the flaw has been shown to enable data theft, including API keys and internal corporate data, as well as the exposure of chat histories and, in some cases, silent malware installation leading to possible system takeover. Anthropic updated its security guidance to recommend using MCP adapters with caution, effectively leaving the flaw intact and shifting responsibility to developers.
OX Security conducted a coordinated disclosure, resulting in more than 30 accepted disclosures and more than 10 high and critical vulnerabilities patched, but the underlying design remains vulnerable at scale. The article is dated 15 April 2026.