A critical architectural flaw affects over 200,000 servers running Anthropic's Model Context Protocol, the open standard that OpenAI, Google DeepMind, and other AI companies adopted for connecting AI agents to external tools. Researchers at OX Security discovered the vulnerability allows command execution across all implementations of the protocol.
Anthropic created MCP as an open standard in 2024. The protocol gained rapid adoption after OpenAI endorsed it in March 2025. Google DeepMind followed suit, and Anthropic donated the technology to the Linux Foundation in December 2025. Downloads exceeded 150 million.
The OX Security team identified a systemic vulnerability at the core of MCP's architecture. The flaw stems from how the protocol handles communication between AI models and tools. Rather than treating this as a security problem requiring immediate patches, Anthropic characterized the issue as a design feature. The distinction matters. A feature requires fundamental redesign rather than simple fixes.
The vulnerability exposes every organization running MCP servers to potential exploitation. The scale of deployment means attackers could target thousands of servers simultaneously. Companies relying on MCP for AI integrations now face pressure to address the flaw while maintaining compatibility with the broader ecosystem.
The incident raises questions about security vetting when open standards gain rapid adoption. MCP's architecture appears to prioritize flexibility and interoperability over built-in protections against command execution attacks.