MCP Has a Security Problem. Anthropic Called It "Expected Behavior."

OX Security disclosed a systemic flaw in Anthropic’s Model Context Protocol in April 2026. The core issue: the STDIO execution model in official MCP SDKs can run arbitrary OS commands even when the local server process fails to start. You don’t need a running server to get code execution. You just need a malicious config.

OX estimates 150 million downloads touched, 200,000 potentially vulnerable instances, 7,000+ publicly reachable servers, and over 10 high or critical CVEs already tied to downstream projects. Tenable reported a separate but related vulnerability in February: a malicious MCP server config in a GitHub Action could execute arbitrary code in the runner with full access to workflow secrets. HackerOne triaged it as “informative.” Tenable pushed back. Anthropic patched it eventually, but the initial response was that it was a configuration issue, not a vulnerability.

OX asked Anthropic repeatedly to fix the root cause. The answer was that the behavior is expected and sanitization is the developer’s responsibility.

Sources: The Register · Tenable CVE disclosure · Anthropic MCP command execution behavior

The Registry Numbers Are Worse Than the Headlines

Someone analyzed 4,584 MCP servers and published the trust scores. The average came out at 53.9 out of 100.

MCP Scorecard tracks the full registry in real time. As of this writing: 4,484 servers indexed, 35 rated high trust, 604 moderate, 2,369 low trust, 1,471 very low, and 1,296 flagged. That’s more flagged servers than moderate ones.

The registry grew from 3,121 to 4,484 servers in a single two-week collection cycle, the biggest batch ever. The average trust score dropped as it grew, from 48.4 to 45.9, because most of the new entries were low-quality bulk publishers flooding the registry. Microsoft shipped nine WorkIQ servers, all scoring 32. One developer registered 33 utility servers in a single namespace.

Sources: MCP Scorecard blog · Trust score analysis

What This Means If You’re Building With MCP

People are building real things on top of this. Contract development workflows with Midnight MCP and Claude. SPICE circuit simulations through MCP tool calls. Agent networks with memory layers sitting alongside MCP’s tool access. The use cases are legitimate and growing.

None of that changes the trust problem. It makes it more expensive to ignore.

Every MCP server your agent connects to is a trust decision. Most developers are not making that decision consciously because the protocol makes it easy to connect and hard to audit. The registry scores exist now. Use them. Check before you ship.

The three things worth doing immediately if you have MCP in production:

• Audit your server list against MCP Scorecard. Anything below 60 needs a justified reason to stay connected.
• Lock your GitHub Actions config. A malicious MCP server in your CI config is an arbitrary code execution path with access to every secret in the workflow. Tenable documented the exact path.
• Treat the STDIO command parameter as untrusted input. Anthropic won’t patch the root issue. Sanitization is on you, and they’ve said so publicly.

The MCP ecosystem is moving fast. The security tooling is not keeping pace. That gap is where incidents happen.

Sources: OX Security / The Register · Tenable CVE · MCP Scorecard · 4584 server trust analysis · Anthropic command execution behavior