Unpatched · June 2, 2026

A systemic Remote Code Execution (RCE) flaw in the official Model Context Protocol (MCP) STDIO transport affects an estimated 200,000 servers and 150 million downstream package downloads across Python, TypeScript, Java, and Rust SDKs. Anthropic has reviewed the research and confirmed the behavior is "expected protocol behavior" — not a bug it will fix. Three confirmed CVEs have already been assigned to implementations built on the flawed foundation. There is no patch coming. The fix is architecture.

MCP has become the de facto standard for connecting AI agents to external tools — databases, APIs, code execution environments, cloud infrastructure. Every enterprise wiring agents to MCP servers is wiring them to a protocol with an unfixed design flaw that allows full remote command execution on the host system.

This isn't a theoretical risk. It's already being exploited in the implementations built on top of it.

200K
Estimated exposed MCP
server instances
150M
Downstream package downloads
carrying the flaw
9.6
Highest CVSS score
across confirmed CVEs

The Vulnerability: STDIO Executes What It's Told

The flaw lives in how MCP's official SDKs handle STDIO process commands. When an MCP server initializes, it blindly executes process commands passed to the STDIO interface. The SDK does not sanitize these commands. It does not validate that the spawned process is what was intended. It executes first and asks no questions.

The exploit path is direct:

1
Attacker passes a malicious command to the STDIO interface
The MCP server initialization process receives the command. No authentication. No validation. The STDIO interface accepts input.
2
The system executes the command — even if the process fails to launch
This is the critical design decision: the SDK executes the command regardless of whether the intended MCP server process starts successfully. Execution is unconditional.
3
Full RCE on the host system
The attacker now has arbitrary command execution on the host. From here: steal API keys from environment variables, access internal databases, take over cloud pipelines. The blast radius is everything the host can reach.
4
Anthropic's response: this is expected behavior
Researchers from OX Security disclosed the full technical analysis. Anthropic reviewed it and declined to alter the protocol's STDIO handling. The official position: this is how the protocol is designed to work. No fix is planned at the protocol level.

Across Python, TypeScript, Java, and Rust — all four official MCP SDKs carry the same flaw. Every MCP server built on any of them inherits it.

Three CVEs Already Confirmed in the Wild

Because Anthropic won't fix the protocol, the flaw propagates into every implementation. Researchers have already confirmed three critical CVEs in tools built directly on MCP:

CVE-2025-49596 CVSS 9.4 Critical
Anthropic MCP Inspector — RCE via malicious server inspection
An attacker could execute arbitrary code on a developer's machine by having the developer inspect a malicious MCP server with the official MCP Inspector tool. No additional user interaction required beyond opening the inspector. Affects every developer using the official Anthropic toolchain.
CVE-2025-6514 CVSS 9.6 Critical
mcp-remote — RCE via supply chain, highest CVSS of the three
The mcp-remote bridging tool, used to connect local MCP clients to remote servers, carries a critical RCE flaw that highlights the supply chain risk. An attacker controlling a remote MCP server endpoint can execute arbitrary code on any client connecting through mcp-remote. This affects Claude Desktop users and every enterprise deployment using remote MCP server connectivity.
CVE-2025-65719 CVSS Critical
Kubectl MCP Server — RCE with full Kubernetes cluster control
The Kubectl MCP Server, which gives AI agents access to Kubernetes cluster management, is vulnerable to RCE that grants attackers full control over local systems and every linked Kubernetes cluster. This is the highest-impact vector: an attacker reaching this CVE can pivot from developer machine to full production infrastructure.
Why this won't be patched

Anthropic has positioned MCP as an open protocol with intentional design decisions around STDIO. Sanitizing STDIO commands by default would require a breaking change to the protocol specification. Anthropic has declined to make that change. This means every implementation built on the official SDKs — today and going forward — inherits the flaw until the protocol spec changes. Don't wait for an upstream patch. Mitigate at your architecture layer.

What Attackers Can Do Once They Have RCE

Remote code execution on an MCP host isn't a contained incident. The MCP server exists specifically to bridge AI agents to sensitive systems. Once an attacker has RCE on that host, the path to high-value targets is short:

Five Controls That Mitigate the Risk Today

Because the vulnerability is architectural — not a code bug — the mitigations are architectural too. Each of these reduces blast radius and attack surface independently.

01
RuntimeAI → MCP Gateway + Zero Trust
Treat every MCP server as untrusted — including your own
RuntimeAI's MCP Gateway sits between your AI agents and every MCP server connection. Every tool call goes through the gateway — validated against tenant ACLs, rate-limited, and logged before it reaches the MCP server. The agent never has a direct socket to the MCP host. Even if an MCP server is compromised, the blast radius is contained to what the gateway permits. RBAC enforced at the tool-call level, not at the network perimeter.
02
RuntimeAI → Network Isolation + Sandboxing
Run MCP servers in isolated containers with no internet egress
Never run MCP servers directly on bare metal or with root privileges. Containerize every MCP server with gVisor or equivalent syscall interception. Block internet egress at the container boundary — MCP servers should call only the services they're configured to call, via egress allow-lists. This contains the RCE: even if the attacker has arbitrary command execution inside the container, they cannot reach the metadata service, cloud APIs, or lateral targets.
03
RuntimeAI → Bot-CA + OAuth 2.1
Authenticate every MCP connection — unauthenticated connections are the entry point
The STDIO vulnerability requires an unauthenticated MCP connection to pass the malicious command. RuntimeAI's Bot-CA issues cryptographic mutual TLS certificates for every MCP server registration. OAuth 2.1 authorization flows enforce that only authenticated, registered agents can initiate MCP server connections. An unauthenticated actor cannot pass a command to the STDIO interface if the connection is never established.
04
RuntimeAI → Flow Enforcer + Input Sandboxing
Validate and isolate every script before execution
Any MCP tool that executes scripts or shell commands must run those scripts inside a constrained runtime (gVisor, strict seccomp profile). RuntimeAI's Flow Enforcer applies policy to tool calls before they reach the MCP server: reject tool calls that pass unsanitized shell inputs, require structured parameters over raw command strings, and flag tool calls whose parameters match known injection patterns. The AI agent requests; the enforcer validates; the MCP server only sees clean inputs.
05
RuntimeAI → Audit Black Box + Behavioral Detection
Monitor MCP process trees for unauthorized child processes
A successful RCE spawns child processes the MCP server was never expected to create. RuntimeAI's Audit Black Box logs every MCP tool call with full parameter capture. Behavioral anomaly detection establishes baseline process behavior for each registered MCP server and fires alerts when unexpected child processes, unusual network connections, or anomalous tool call sequences appear. You find out in seconds, not when it becomes a public incident.

Immediate Actions for Your MCP Deployments

# 1. Audit every MCP server your agents connect to
kubectl get deployments -n rt19 | grep mcp
# For each: verify it runs as non-root, has no host network, no internet egress

# 2. Verify no MCP server accepts unauthenticated STDIO connections
# In your MCP server config — confirm OAuth 2.1 or mTLS is required
grep -r "allow_unauthenticated\|no_auth" ./mcp-servers/

# 3. Check for vulnerable tooling in your development environment
npm list mcp-remote 2>/dev/null | grep -v "empty"
pip show mcp-inspector 2>/dev/null | grep Version

# 4. Review all MCP server Dockerfiles for root execution
grep -r "USER root\|RUN.*sudo" ./mcp-servers/*/Dockerfile

Recommended container security profile for MCP servers

# k8s deployment patch — apply to all MCP server deployments
securityContext:
  runAsNonRoot: true
  runAsUser: 10001
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop: ["ALL"]
# NetworkPolicy — restrict egress to allowed services only
egress:
  - to:
    - podSelector:
        matchLabels:
          role: allowed-mcp-target
    ports:
      - port: 443
RuntimeAI MCP Gateway — what's already in place

Every MCP server registered with RuntimeAI's MCP Gateway runs behind mutual TLS authentication (Bot-CA), with per-tenant ACL enforcement on every tool call, rate limiting, and full audit logging. The gateway acts as the authenticated entry point — no direct STDIO connection is possible from an unauthenticated source. Behavioral anomaly detection monitors process-level activity on every registered server. If you're running MCP through RuntimeAI's gateway today, the primary attack vector for this vulnerability is blocked at the connection layer.

Deploy RuntimeAI's MCP Gateway

Secure your MCP servers in under an hour.

RuntimeAI's MCP Gateway wraps every MCP server connection with authentication, authorization, rate limiting, audit logging, and behavioral monitoring — without requiring changes to your MCP servers themselves.

Bot-CA mTLS Auth
Cryptographic mutual TLS for every MCP server registration. No unauthenticated STDIO connections permitted.
OAuth 2.1 Enforcement
Every agent-to-MCP connection requires OAuth authorization. Anonymous connection is rejected at the gateway.
Tool-Call ACLs
Per-tenant, per-agent allow-lists for which tools can be called. Wildcard access is blocked by default.
Flow Enforcer Integration
Sensitive tool calls — shell exec, file write, DB query — gated behind policy before reaching the server.
Audit Black Box
Every tool call logged with full parameter capture. Tamper-evident chain for SOC 2 and EU AI Act.
Behavioral Anomaly Detection
Baseline per MCP server. Unexpected child processes, network calls, or tool sequences trigger real-time alerts.
# Register your MCP server with RuntimeAI Gateway
POST /api/v1/mcp/servers/register
{
  "server_id":    "kubectl-mcp-prod",
  "tenant_id":    "acme-corp",
  "auth_mode":    "mtls",            // Bot-CA mTLS required
  "allowed_tools": ["get_pods", "get_logs", "describe_deployment"],
  "sensitive_tools": ["apply", "delete", "exec"],
  "egress_allow":  ["kube-api.internal:6443"],
  "sandbox":       "gvisor"
}
EU AI Act Timeline

High-risk AI system enforcement begins August 2, 2026 — 61 days from today. If your AI agents access Kubernetes clusters, production databases, or cloud infrastructure via MCP, you are operating a high-risk agentic system. Article 9 risk management and Article 12 audit logging are mandatory. An unpatched RCE in your MCP infrastructure with no audit trail is not a position you want to defend.

Your MCP servers are exposed. Your agents don't have to be.

RuntimeAI's MCP Gateway wraps every MCP connection with authentication, Zero Trust enforcement, behavioral monitoring, and a full audit trail — without touching your MCP servers.

Start Your Trial MCP Gateway Docs