200,000 MCP servers expose a command execution flaw that Anthropic calls a feature

Anthropic's Model Context Protocol, the open standard for AI agent-to-tool communication, sits at the center of a systemic security vulnerability that affects 200,000 deployed servers. Researchers at OX Security discovered an architectural flaw in MCP's STDIO transport layer that enables command execution across the entire ecosystem.

The protocol gained massive adoption after Anthropic open-sourced it. OpenAI adopted MCP in March 2025. Google DeepMind followed suit. Anthropic donated MCP to the Linux Foundation in December 2025, cementing its role as foundational infrastructure for agentic AI. Downloads exceeded 150 million.

The vulnerability exposes a core design problem. Instead of treating it as a critical security issue, Anthropic frames the command execution capability as intentional. This stance creates tension. The flaw affects every MCP implementation in production, from enterprise deployments to edge cases.

The timing matters. MCP adoption accelerated as enterprises rushed to build AI agents without waiting for security hardening. The protocol now underpins thousands of integrations across major companies. A systemic vulnerability at this layer risks compromising entire agent ecosystems.

OX Security's disclosure forces the community to confront a choice. Either MCP requires architectural redesign before wider deployment, or organizations accept the command execution risk as inherent to the protocol's design.