criticalMCP server·

AGS-2026-0010

Architectural MCP RCE — 200k vulnerable servers, 150M+ downloads affected (OX Security)

What happened

OX Security uncovered an architectural flaw in the Model Context Protocol that enables arbitrary command execution on systems running vulnerable MCP implementations. The flaw is *systemic*, not implementation-specific, and is reachable via prompt injection plus standard MCP message flow.

Scale

  • 150M+ downloads of vulnerable MCP libraries.
  • 7,000+ publicly accessible servers.
  • Up to 200,000 vulnerable instances total.

Cursor, VS Code, Windsurf, Claude Code, and Gemini-CLI are all reachable via this class of issue.

Self-check

AgentGuard subscribers receive this advisory automatically and their local guard runs the inspection below.

References