Anthropic Called the RCE a Feature

Derek: Okay, so get this. OX Security dropped an advisory this week and it is not pretty. A design flaw baked into Anthropic's MCP-STDIO interface affecting up to 200,000 servers and 150 million SDK downloads. Python, TypeScript, Java, Rust, all of them. Max: And Anthropic's response? Derek: Anthropic? Expected behavior. No patch. No architectural fix. Just a security.md update. Security.md updates saying, hey, be careful with STDIO. Max: That's a strong choice. Welcome to Autonomous Autopsy, everyone. I'm Max. Derek: And I'm Derek. Today we are doing a full kill chain on this thing. Max: So here's the breakdown. Derek walks the four exploitation families OX identified, including CVE-2026-30615, the Windsurf zero-click that required literally no user interaction, and we dig into how 9 out of 11 MCP marketplaces got registry poisoned in testing. Derek: Then we compare vendor responses: Microsoft patched CVE-2026-26118, their Azure SSRF flaw, in a single cycle. Anthropic called their comparable flaw a feature; we'll let that sit for a moment. Max: Just a moment. Derek: And then, wait for it, CVE-2026-33032, the nginx UI by MCPwn chain. Two CVEs, one unauthenticated backup endpoint leaking node secret, 2,600 exposed instances and Recorded Future confirming active exploitation in March. Max: Oh, that one's bad. We also touched on Grasshopper Bank, the first U.S. bank MCP deployment, and what it means that the unpatched STDIO flaw sits underneath live banking infrastructure right now. Derek: This is where it gets good. We end with four concrete actions you can run Monday morning, starting with vulnerable mcp.info. Max: All right, let's get into the Autopsy. Segment One, the Kill Chain. Derek: 200,000. That's the number. 200,000 servers sitting exposed right now, and Anthropic's official answer is two words, Expected Behavior. Max: I'm sorry, expected behavior for remote code execution? Derek: Yeah, OX Security spent five months digging into this, published their advisory April 15th, called it the Mother of All AI Supply Chains, and Anthropic said the protocol works as designed. Okay, walk me through the scope here because I want people to feel this. So according to the Hacker News, the flaw hits Anthropic's official MCP SDKs across Python, TypeScript, Java, and Rust, all of them, 150 million downloads, over 7,000 publicly reachable servers, up to 200,000 vulnerable instances total. And not a single downstream project that trusted those SDKs is safe. Max: He's escaped it? Derek: Not one, because it's not a bug someone introduced, it's a design choice baked into the protocol. Max: So what's the actual flaw, like mechanically? Derek: So the MCP STDIO interface passes user supplied commands directly to a privileged OS call, no sanitization. The command runs whether or not a valid MCP server ever starts. Wait, wait, so the server doesn't even need to successfully launch. Punch for the command to execute; correct—you hand it any process, it fires the command, returns an error, and you're already in. What a feature!" chuckling. OX explicitly told Anthropic how to fix it at the protocol level, a manifest only execution model, or a command allow list in the official SDKs; one change propagates protection to every downstream project instantly. Max: And Anthropic updated a security .md file. Deadpan, nine days after first contact, said STDIO adapters should be used with caution. OX's response in their follow-up, this change didn't fix anything. So they shifted the sanitization burden onto every developer who consumed the SDK. Across 200,000 servers, and OX's framing on that is pretty blunt. The advisory says shifting responsibility to... to implementers doesn't transfer the risk, it just obscures who created it. Derek: Yeah, documentation is not Max: Right. Derek: mitigation. Max: So if this is the vendor response, the natural question becomes what does the actual attack look like in practice, because there's more than one way in here, and some of them require zero clicks from the target. Derek: So let's walk the actual kill chain, because it's surprisingly short. The STDIO model is the root. When an MCP client launches a server, the command string in your config file flows straight to an OS-level subprocess call. No validation, no check that the target is even a real MCP server. Max: Right. Pass a malicious command, you get an error back. Derek: But the command already ran. The error is the receipt. Max: Love that-confirmation of compromise delivered post execution. Derek: So OX cataloged four exploitation families off this: Family one is unauthenticated UI injection, demonstrated live against LangFlow and LiteLLM: you hit a public facing web interface, drop in an arbitrary command via the STDIO config field, no auth required. And family two is the allow list bypass, right? Flowise and Upsonic. Monic thought they were protected. Yeah, OX got through using argument injection via npx hyphen c, because npx executing arbitrary packages is its entire job. The allow list basically just suggested a polite starting point. Okay, but let's talk about family three, because CVE-2026-30615 is the one that should keep people up at night. Windsurf. Zero-click prompt injection. Walk me through it. Windsurf processes attacker-controlled HTML content. Malicious instructions silently rewrite the local mcp.json, register an attacker-controlled STDIO server, the MCP SDK initializes, launches the binary, shell access, no approval dialogue, no confirmation step. So none at all. Like you open a project, you open a project. That's it. OX confirmed it was the only IDE in their testing with zero user interaction; Cursor, Claude Code, Gemini-CLI, all needed at least one step. Windsurf did not. And the fix was vendor side, not protocol side. Which is the whole problem. Exactly. Patching WinServe removes that specific path. The underlying issue that the config file is a code execution input? That stays. So then the registry angle is where this goes from bad to supply chain. According to OX's research, they tested eleven MCP registries, submitted a proof of concept malicious package to each, nine accepted it. Fit. No security review. Nine out of eleven. That's not a gap in the review process, that's basically no review process. Same NPM and PyPI supply chain playbook, except MCP registries are newer and greener. You click Install on what looks like a legitimate server, payload runs immediately. Hmm. And that ties into something worth examining: this isn't only Anthropic being slow. Microsoft faced a comparable MCP disclosure in the same window. Window and their response looked pretty different. That comparison is worth sitting with for a minute. Sure, now flip that around: same week OX dropped their advisory, Microsoft was handling their own MCP disclosure: CVE-2026-26118, CVSS eight point eight; Azure MCP server SSRF. Right, so walk me through the attack path, because it's clean, brutally clean. You swap in a malicious URL where an Azure resource identifier should go. The MCP server makes an outbound request to that URL, and it attaches its managed identity token in the process. So the server just hands over the token? Hands it over. According to SC World Analysis, you capture that token, you inherit every permission that managed identity held: storage accounts, VMs, databases. And this shipped in a single Patch Tuesday cycle? March 10th, Talos Intelligence. Confirmed, patched, done-one cycle! Max: Wow! Derek: That's the contrast. Which means Anthropic got a comparable class of disclosure from OX, was offered a specific fix and declined-minor mishap, not patch problem-documentation problem. Okay, hold on though, I want to push back a little here. Are these actually the same class of bug? Because SSRF and the STDIO command injection from Segment Two feel... feel mechanically different. Yeah, they are different. SSRF is a server-side web flaw, STDIO is a transport-layer injection, different mechanisms, but here's the thing, they share the same root cause, which is no identity. SC World put it plainly, MCP ships with no authentication enabled by default. Adversa AI scanned 500-plus MCP servers and found nearly 50% of them were not authenticated. Only 38% lacked authentication entirely, so the Azure SSRF gives you a concrete example of what that looks like. Exactly. You steal the managed identity token, and now you're that server. Speaker 3: Right. Derek: No admin rights needed. You just ARE the identity. That's the blast radius. That token can touch every resource the managed identity was provisioned to reach. And managed identities in Azure tend to be... To be over provisioned, security teams set them up for convenience, not least privilege. Okay, so the vendor response scorecard reads "Microsoft patched, one cycle"; Anthropic, "Security.md update." One company treated it as a security incident, the other treated it as a documentation exercise. And that thirty eight percent no auth number is the downstream consequence of the it's expected framing. If the vendor normalizes it, Every implementer inherits the exposure, which sets us up perfectly for what's next, because there's a case where someone actually shipped MCP without carrying over their existing auth model at all, and the result is something else. CVE-2026-33032, Nginx UI, and the fix was 27 characters of code. So, CVE-2026-33032, Pluto Security named it MCPwn, darkly appropriate. A CVSS nine point eight, actively exploited in March, Recorded Future scored it ninety four out of a hundred on risk. That's not a bad week for a single missing function call. Here's the actual setup: Engine X UI ships two MCP endpoints. /MCP has authentication /MCP message does not. IP white list is supposed to cover it, but the default white list is empty, and empty means allow all. The middle ware literally fails open. So the bouncer has a clipboard with no names on it, and the policy is: if the list is blank, everyone's VIP. Exactly, and then it gets worse. That's where CVE-2026-27944 comes in. Speaker 4: f p Derek: 4-4 comes in. Speaker 5: Uh-huh! Walk me through it. Derek: Unauthenticated GET to /API /backup. The server hands you a full system backup, credentials, SSL private keys, Nginx configs, and the node secret that authenticates the MCP interface. Oh, and the AES-256 decryption key is in the HTTP response header. Wait, wait, wait. The encryption key is in the header. Of the same response, shipped the lock with the key taped to it. I mean you almost have to respect the efficiency. So now you have no secret: you hit slash MCP, get a session ID post slash MCP message two HTTP requests, full engine axe config write, automatic reload, the Hacker News confirmed active exploitation with that chain back in March. And this is where the identity problem from last segment bites hard, because Nginx isn't just a web server sitting on a box. OX: It's a reverse proxy in front of everything. Rewrite a server block, all traffic routes through you. Every credential in transit. Right in the fix, according to Pluto Darkly's disclosure, was one missing middleware call: AuthRequired added to one route. Twenty-seven characters. Twenty-seven characters patching a CVSS nine point eight, with twenty-six hundred publicly exposed instances. An Active Exploitation The bolting MCP onto an app problem as SC World flagged in April is exactly this: the MCP layer gets the app's capabilities but not its security controls. Shodan shows those 2,600 instances right now, unpatched Engine XUI on port 9000, open to the internet, patched to version 2.3.4 or later today. And check your nginx.conf files for server blocks you didn't write. If the proxy pass is pointing somewhere unfamiliar, assume you're already routing traffic for someone else. So who's running Nginx as a reverse proxy in front of production services that actually matter? Banks, right? Turns out that's not hypothetical anymore. So the answer to that question, who runs this stuff in front of real services, turns out to be: banks. Actual banks. Grasshopper Bank launched the first MCP server deployed by a US bank back in August of two thousand twenty five, built with Narmi. Business clients query account data through Claude and ChatGPT. And they did some things right: read only access, OAuth for authorization-they were deliberate about it. Right; the read only constraint is smart. An AI assistant can check your balance, categorize vendors, it cannot move money-that's Max: Hmm. Derek: the line they held. So Grasshopper didn't do anything reckless, the problem isn't what they built, the problem is what they built on top of. Exactly. American Banker confirmed Grasshopper is running Anthropic's MCP code, and Anthropic's position, as we covered, is explicit. explicit sanitizing user input is the developer's responsibility. For a bank, that responsibility lands on the bank. And U.S. banking regulators? Silent. FinRegLab flagged agentic AI in a September 2025 market scan, but there's no supervisory guidance yet on MCP deployments in financial services. So the bank is responsible, the protocol vendor says it's expected behavior, Here; and the regulator hasn't weighed in-that's a fun set of overlapping responsibilities! Here's where the stakes part really lands, Derek: the read-only constraint works today, but that window is closing. Fast. Meow Technologies launched what they call the first agentic banking platform on April ninth. Speaker 3: Agents Wow. Derek: can open accounts, send payments, issue cards, full write access over MCP, and Meow's banking infrastructure, by the way, provided by by Grasshopper Bank. Yeah, same bank. So the read-only version and the full agentic version are literally running on the same institution. The gap between AI checks your balance and AI opens accounts and wires money just collapsed into a single news cycle. And the protocol underneath both of them has a known unpatched flaw that Anthropic calls a feature. So you've got a foundation with a crack in it and the structure on top is getting heavier. Getting heavier by the week, the question now is what do you actually do about it before your environment looks like Meow's, because the defensive picture here is specific There are concrete checks that matter, and that's exactly where we need to go. So with all that in mind, what do you actually do right now? First thing, open every MCP server definition in your environment. Find the command parameter. That value, per OX Security's advisory, is the direct execution path. If anything external can influence it, a prompt, a config file write, a registry install, you have the STDIO problem, regardless of what version of the SDK you're running. Right, and this isn't hypothetical. We walked through four exploitation families where that exact... The exact path gets triggered; the command already ran before the error returns. Speaker 5: Mm-hmm. Derek: So the check is simple: can untrusted input reach that field? Exactly; if the answer is yes, you have a problem today. Azure Deployment's different checklist. Blueinfy confirmed the fix for CVE-2026-26118 shipped in version two point zero point zero beta seventeen. If you haven't patched, that's the patch, but Shodan's piece flags the second thing you have to do. Noting, scope the managed identity because the way that SSRF attack works, a stolen token inherits every permission the identity was granted. Over-permissioned identity means the blast radius scales with however many Azure resources that identity can reach. So the patch stops the leak, least privilege stops the flood. Yeah, that's the whole thing right there. And then the config audit. This is the single action I'd push to any listener right now. Run a grep, a search across your CICD configs. your IDE settings, any agent orchestration config for the string command inside MCP server definitions. Speaker 6: Wow! Derek: Document every instance you find. That list is your attack surface. Every entry is a question: who controls that value and can it be influenced from outside? And before you install anything you didn't write yourself, check vulnerable.MCP.info. It's a live database of MCP CVEs, exploitation details, severity Severity ratings, Speaker 7: Right. Derek: the vulnerable MCP project tracks this specifically because no single registry is doing that job right now. And we covered nine out of 11 registries accepting a malicious proof of concept with zero security review. That database exists because the ecosystem isn't self-policing. So audit your command parameters, patch CVE-2026-26118 if you're on Azure, scope your managed identities, and check vulnerable... at mcp.info before every install, four actions, none of them require a vendor to fix anything first which is good because at least one vendor has already told us what they think about fixing it. Okay, so that's a wrap on MCP and man, what an episode. Yeah, the one moment I keep coming back to is Anthropic's official answer to two hundred thousand exposed servers: "Expected behavior." Two words still gets me. In the Windsurf zero-click case, you open a project that's literally it, no interaction, game over. Great feature, great feature. Look, the one line take away from today, MCP ships with no authentication. No authentication by default, and vendors are not rushing to fix that, so you have to. Monday morning action. Head to vulnerablemcp.info, audit every MCP server in your stack before it touches anything real. That's the move. Thanks for riding through this one with us. Seriously, every listener who sticks around for the technical deep cuts makes this worth doing. New episodes every Tuesday. Subscribe wherever you listen. And if this saved you from a bad deployment, leave us a review. You we'll see you next week