MCP Tool Poisoning: 200K+ Vulnerable MCP Instances Exposed via STDIO Protocol Design Flaws
Date: 2026-05-27
Tags: mcp-security, prompt-injection
Executive Summary
The OX Security disclosure in May 2026 illustrated how design decisions made early in a protocol's life create systemic risk later, and the vulnerability was not a memory bug or missing authentication check. OX Security researchers identified a systemic command injection vulnerability in Anthropic's MCP protocol that propagated across the AI ecosystem, with a full disclosure advisory including CVEs, affected platforms, and attack variants.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | MCP STDIO Command Injection Vulnerability Disclosure |
| Attribution | Design flaw in Anthropic Model Context Protocol specification (confidence: high) |
| Target | All MCP clients (Cursor, VS Code, Claude Code, Gemini CLI, Windsurf) and servers integrated via STDIO |
| Vector | Unsafe STDIO transport deserialization in MCP SDK implementations |
| Status | active |
| First Observed | 2026-05-01 |
Detailed Findings
The issue stemmed from the way the official MCP SDKs handle the STDIO transport for local tool execution, and Anthropic confirmed the behavior was by design and declined to modify the protocol, framing sanitization as a developer responsibility. A 2026 disclosure exposed up to 200,000 vulnerable MCP instances across IDEs, internal tools, and cloud services. A prompt injection vulnerability in Windsurf 1.9544.26 allows remote attackers to execute arbitrary commands on a victim system, and when Windsurf processes attacker-controlled HTML content, malicious instructions can cause unauthorized modification of the local MCP configuration and automatic registration of a malicious MCP STDIO server, resulting in execution of arbitrary commands without further user interaction. What separates tool poisoning from earlier prompt injection research is persistence: a poisoned tool description ships inside a package, a configuration file, or a remote MCP server, and it works on every single invocation, silently, across every session, for every user, until somebody notices.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Prompt Injection | T1598.004 | Malicious tool descriptions crafted to trigger unauthorized actions |
| Code Injection | T1059.007 | STDIO protocol processes untrusted JSON-RPC without validation |
| Privilege Escalation | T1134 | AI agent executes with inherited privileges of IDE or application process |
IOCs
Domains
_No specific malware IOCs; vulnerability is in protocol design affecting all clients_
Full URL Paths
_No specific malware IOCs; vulnerability is in protocol design affecting all clients_
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
Anthropic MCP STDIO clients: Cursor, VS Code, Claude Code, Gemini CLI, WindsurfDetection Recommendations
Implement MCP configuration allowlisting: only register MCP servers from trusted sources. Apply runtime monitoring of MCP tool invocations to detect anomalous behavior (e.g., tools spawning processes, accessing files outside expected scope, making network requests). Monitor for unauthorized MCP server registration in IDE configuration files (.cursor, .vscode settings, .claude directories). Implement tool execution sandboxing: restrict MCP tools to read-only operations or bound execution with explicit user approval for write operations. Validate MCP tool schemas against expected signatures before execution. Monitor for prompt injection indicators within tool descriptions (encoded commands, multi-stage instructions, suspicious parameter patterns).
References
- [OX Security] MCP Supply Chain Advisory: RCE Vulnerabilities Across the AI Ecosystem (2026-05-01) — https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/
- [ITECS Online] MCP Tool Poisoning: Enterprise AI Agent Security in 2026 (2026-05-15) — https://itecsonline.com/post/mcp-tool-poisoning-enterprise-ai-agent-security-2026