MCP supply chain flaw: 200,000 AI agent servers exposed to remote code execution
AnalysisOX Security disclosed an architectural flaw in Anthropic's Model Context Protocol (MCP), the now-standard way AI agents connect to local tools, that lets attackers run arbitrary operating system commands through the default STDIO transport. Researchers found 7,000 servers reachable on public IPs and estimate roughly 200,000 vulnerable instances overall, across more than 150 million SDK downloads. Cursor, Claude Code, Windsurf, VS Code, and Gemini-CLI all inherit the issue, with Windsurf (CVE-2026-30615) the only IDE where exploitation needs zero clicks. Anthropic updated its security notes but called the behavior expected and declined an architectural fix. The Cloud Security Alliance independently confirmed the findings as of May 1. Patches landed in LiteLLM, DocsGPT, Flowise, and Bisheng. Windsurf and Langchain-Chatchat were still listed as reported.