Get in Touch
Get in Touch

A Silent Threat in AI Infrastructure: MCP’s “By Design” RCE Vulnerability

Architectural AI security vulnerability

4/22/20262 min read

A Silent Threat in AI Infrastructure: MCP’s “By Design” RCE Vulnerability

As artificial intelligence systems become deeply embedded in modern software stacks, their underlying protocols are rapidly becoming part of the global attack surface. At StealthLayerSecurity, we continuously track emerging risks—and a recent discovery around the Model Context Protocol (MCP) demands serious attention.

The Discovery: A Flaw That Wasn’t Meant to Be One

Researchers from OX Security have identified a critical “by design” weakness in the Model Context Protocol (MCP), originally introduced by Anthropic.

Unlike traditional vulnerabilities caused by coding mistakes, this issue stems from architectural decisions, making it significantly more dangerous and harder to remediate.

At its core, the flaw enables Remote Code Execution (RCE) on any system running a vulnerable MCP implementation. This means attackers can potentially gain access to:

  • Sensitive user data

  • Internal databases

  • API keys

  • Chat histories

    The flaw exists within MCP’s official SDK across multiple programming languages:

  • Python

  • TypeScript

  • Java

  • Rust

It has already impacted:

Over 7,000 publicly accessible servers more than 150 million downloads across affected packages.

Popular frameworks and tools exposed include:

  • LangChain

  • Flowise

  • LangFlow

  • LiteLLM

  • DocsGPT

Multiple CVEs have already been assigned, including:

  • CVE-2026-30623 (LiteLLM – patched)

  • CVE-2026-26015 (DocsGPT – patched)

  • CVE-2026-40933 (Flowise)

And several others across the ecosystem

Root Cause: Unsafe STDIO Defaults

The vulnerability originates from how MCP handles configuration over the STDIO (standard input/output) interface.

The protocol was designed to:

Launch a local STDIO server and pass its handle to the LLM

However, in practice:

  • Arbitrary system commands can be executed

  • Commands run even if they fail afterward

  • Error responses occur after execution, not before

This creates a dangerous condition where any command that reaches the interface may execute on the host system.

Attack Vectors Observed

  • Researchers categorized exploitation into four major patterns:

  • Command Injection via MCP STDIO

  • Both authenticated and unauthenticated scenarios

  • Direct STDIO Configuration Abuse

  • Bypassing security hardening mechanisms

  • Zero-Click Prompt Injection

  • Malicious prompts altering MCP configurations without user interaction

  • Marketplace-Based Exploitation

  • Malicious MCP servers triggering hidden execution via network requests

  • A Pattern of Recurrence

This is not the first time MCP related issues have surfaced. Similar vulnerabilities have been reported in:

  • MCP Inspector

  • LibreChat

  • Cursor

  • WeKnora

Despite repeated findings, the core issue persists.

The Controversy: “Expected Behavior”

Anthropic has classified this behavior as expected, choosing not to modify the protocol architecture.

This raises a critical question for the industry:

When does “design choice” become a security liability?

By leaving remediation to downstream developers, the responsibility becomes fragmented while the risk remains centralized.

infrastructure-level flaws propagate:

  • Across languages

  • Across frameworks

  • Across entire supply chains

A single design decision can silently introduce vulnerabilities into thousands of systems.

Mitigation Strategies

Organizations using MCP or MCP-based tools should act immediately:

  • Restrict public IP access to sensitive services

  • Monitor MCP tool execution and logs

  • Run MCP-enabled services in sandboxed environments

  • Treat all external MCP configurations as untrusted input

  • Only install MCP servers from verified and trusted sources

Final Thoughts from StealthLayerSecurity

What makes this incident particularly concerning is not just the vulnerability itself—but how it spread.

One architectural assumption propagated into:

  • Every SDK

  • Every integration

  • Every dependent application

This is the definition of a modern supply chain attack vector.

At StealthLayerSecurity, we believe this marks a turning point:

Security must be embedded at the protocol level, not delegated downstream.

Because when the foundation is flawed, everything built on top inherits the risk.

Contact

Secure your business with expert cybersecurity support.

Connect

info@stealthlayersecurity.com

2018 - 2025 Stealth Layer Security.All rights reserved.