← Latest news 
200000 MCP servers found exposing a command execution flaw Anthropic defends as a built in feature
Technology
Published on 2 May 2026
Default STDIO can run OS commands with no boundary
A security audit by OX Security claims MCP’s default STDIO transport can execute arbitrary operating system commands received by an AI agent. Researchers found 7,000 publicly reachable servers and estimate 200,000 vulnerable instances, confirming impact across multiple production platforms. Anthropic says the behavior is expected by design and leaves input sanitization to developers. Security leaders warn this is a dangerous, scalable “distributed failure mode.”
- MCP default STDIO transport can execute any OS command it receives
- OX Security found 7,000 exposed servers and estimates 200,000 vulnerable instances
- Vendors patched products, but no protocol-level fix changed the STDIO model
- Enterprises should enumerate, patch, sandbox, and treat STDIO configs as untrusted
Read the full story at Venture Beat
This summarization was done by Beige for a story published on 
Venture Beat