MCP Coordinated Disclosure Highlights STDIO Command-Execution Risk

Summary

On April 15, 2026, OX Security published a coordinated disclosure describing a family of command-execution vulnerabilities tied to Model Context Protocol (MCP) deployments that accept untrusted STDIO server configuration. The disclosure covered one root pattern and multiple downstream implementations, with OX stating that its work resulted in more than 30 responsible disclosures and more than 10 CVEs across affected products.

This event is better understood as a disclosure and ecosystem-hardening incident than as a threat-actor campaign. Public NVD records published the same day for Windsurf and Agent Zero describe arbitrary command execution paths involving malicious MCP configuration or automatic registration of malicious STDIO servers. Official MCP materials also document that stdio launches a local subprocess and that local server installation flows need explicit consent and command transparency.

Technical Analysis

The core technical issue described by OX is that some MCP-enabled products allowed attacker-controlled command and args values, or equivalent local configuration changes, to flow into STDIO server launch paths without sufficient restriction. MCP’s transport specification states that, in stdio mode, the client launches the MCP server as a subprocess. That behavior is expected for legitimate local tooling, but it becomes a direct execution surface when untrusted input can define what gets launched.

OX’s advisory breaks the disclosure into multiple exploit families that share this root condition. Its published examples include authenticated and unauthenticated server-side command injection in MCP-enabled web products, and local prompt-injection paths that modify MCP configuration and trigger execution on a user workstation. The NVD entries for CVE-2026-30615 and CVE-2026-30624 independently describe the same pattern in Windsurf and Agent Zero, respectively.

The disclosure does not support treating every affected product as the same compromise event. What ties them together is the same execution model and the same trust-boundary failure: untrusted configuration reaches a subprocess launch mechanism that has access to the privileges of the host application or service.

Attack Chain

Stage 1: Malicious MCP Configuration Reaches a Target

An attacker supplies MCP server configuration through a vulnerable product flow, a poisoned local configuration update, or another downstream integration path that accepts untrusted input.

Stage 2: The Product Invokes MCP STDIO Launch Logic

The affected client or service passes attacker-controlled values into MCP STDIO server startup logic, which the MCP transport model uses to launch a subprocess.

Stage 3: Arbitrary Commands Run with Host Privileges

The launched command executes with the privileges of the local client or server process. In documented downstream cases, that enabled remote or local command execution depending on the exposed product path.

Stage 4: Data Access or Further Compromise Follows

Once command execution is achieved, the attacker can access local data, API keys, chat history, configuration files, or connected infrastructure to the extent permitted by the compromised host environment.

Impact Assessment

OX said the disclosure campaign produced more than 30 responsible disclosures and more than 10 CVEs across downstream MCP implementations. Its published examples included LiteLLM, Agent Zero, GPT Researcher, Windsurf, LangFlow, and other MCP-enabled products or frameworks. The published NVD records confirm at least part of that downstream impact through individual CVE entries tied to MCP-related command-execution paths.

For defenders, the main impact is not a single confirmed intrusion set but a shared execution pattern that can appear in multiple AI tools. Local clients face risk when one-click server installation or configuration flows can launch untrusted commands. Server-hosted products face risk when UI or API layers allow remote users to reach the same subprocess launch path.

The practical blast radius depends on the privileges granted to the affected product. On developer workstations, that can mean local credential theft, file access, or persistent malicious configuration. On hosted services, it can mean server-side command execution, data access, and exposure of connected secrets.

Attribution

Public reporting for this event centers on vulnerability research and coordinated disclosure, not on a named intrusion actor. OX Security is the disclosed research source, and the NVD records describe vulnerability conditions and exploitation outcomes for affected downstream products without assigning a threat actor.

Threat actor attribution is therefore not established. The evidence supports describing a coordinated vulnerability disclosure across the MCP ecosystem and selected downstream products, not a confirmed actor-led campaign.

Timeline

2025-06-18 — MCP Transport Specification Documents STDIO Subprocess Launch

The published MCP transport specification states that the client launches an MCP server as a subprocess when using stdio transport.

2025-07-22 — SEP-1024 Formalizes Local MCP Server Consent Requirements

The MCP project published SEP-1024, which requires explicit consent and full command visibility before clients execute local MCP server installation commands.

2026-04-15 — OX Security Publishes Main Story, Advisory, and Deep Dive

OX Security publicly released its MCP research package, including a main disclosure write-up, a technical deep dive, and a full advisory covering downstream exploit families and named CVEs.

2026-04-15 — NVD Publishes Downstream MCP-Related CVE Records

NVD published CVE-2026-30615 for Windsurf and CVE-2026-30624 for Agent Zero, each describing arbitrary command execution paths tied to MCP configuration behavior.

Remediation & Mitigation

Treat all MCP server configuration that can originate from user input, shared files, or remote content as untrusted. Do not allow arbitrary command or args values to reach STDIO launch paths without an explicit allowlist or equivalent execution policy.

For local MCP clients, require full pre-execution consent, show the exact command being launched, and avoid silent one-click installation flows. For server-side products, remove or constrain remote access to STDIO configuration surfaces and isolate any remaining MCP server execution in a sandbox with restricted file system and network access.

Where downstream products have published fixes, update to patched versions and review related CVE guidance. Where no fix exists, disable exposed MCP configuration paths or prevent them from accepting untrusted input until the affected implementation is hardened.

Sources & References

• OX Security: The Mother of All AI Supply Chains: Critical, Systemic Vulnerability at the Core of Anthropic’s MCP — OX Security, 2026-04-15
• OX Security: The Mother of All AI Supply Chains: Technical Deep Dive — OX Security, 2026-04-15
• OX Security: MCP Supply Chain Advisory: RCE Vulnerabilities Across the AI Ecosystem — OX Security, 2026-04-15
• NIST National Vulnerability Database: CVE-2026-30615 — NIST National Vulnerability Database, 2026-04-15
• NIST National Vulnerability Database: CVE-2026-30624 — NIST National Vulnerability Database, 2026-04-15
• Model Context Protocol: Transports — Model Context Protocol, 2025-06-18
• Model Context Protocol: SEP-1024: MCP Client Security Requirements for Local Server Installation — Model Context Protocol, 2025-07-22