Anthropic MCP — design-level RCE on 200,000+ servers (April 2026)
OX Security disclosed a design-level flaw in MCP architecture: local-process execution runs before failed-connection error returns. Malicious config strings execute on the host before the protocol layer can reject the connection — Arbitrary Command Execution on every system running a vulnerable MCP implementation.
- Anthropic MCP <= patch-line
- All MCP server implementations relying on default local-process dispatch
- 7,000+ publicly-accessible servers identified at disclosure
- 150M+ cumulative downloads of affected packages
What an attacker does
An attacker delivers a crafted MCP config string (via a typosquatted server, a rug-pulled tool catalog, or an indirect-prompt-injection chain that convinces the agent to install a malicious server). The vulnerable client spawns the configured local process before the protocol-level connection validation completes — by the time the failed-connection error returns, attacker-controlled code has already run with the user's filesystem + network access.
How to detect
Run `mcp-scan` (Invariant Labs) against your installed MCP servers — see https://github.com/invariantlabs-ai/mcp-scan. The tool detects the vulnerable dispatch shape + tool-poisoning + rug-pull patterns simultaneously.
How to fix
Upgrade Anthropic MCP client to the patched version. Revoke any MCP server installation older than the patch line. Re-validate every fingerprint in your trusted catalog after upgrade.
Workaround if you cannot upgrade today
Disable MCP entirely OR run only locally-authored MCP servers with operator-pinned fingerprints until the patched client ships across your fleet.
CVE-pending-MCP-RCE-2026How Securie catches CVE-pending-MCP-RCE-2026
Securie's MCP trust-enforcement layer — a signed trusted-server catalog, a manifest validator, and a per-dispatch scope check — rejects any MCP server whose fingerprint isn't operator-authored, fail-closes on tool-scope drift, and constant-time-validates every dispatch. Customers running MCP trust enforcement between agent and MCP server are immune to this class of design flaw.