OX Security — Full MCP STDIO Command Injection Advisory: CVEs Across LangFlow, LiteLLM, GPT Researcher, Agent Zero

AI relevance: The Model Context Protocol (MCP) is the standard for connecting AI agents to external tools — command injection in MCP STDIO adapters means attackers can achieve RCE on systems running popular AI frameworks including LangFlow, LiteLLM, GPT Researcher, Agent Zero, and LangBot.

• OX Security published a full vulnerability advisory detailing MCP STDIO command injection across six AI platforms, all rated Critical severity
• LangFlow (unassigned): Unauthenticated RCE via /api/v1/auto_login endpoint to obtain a token, then inject arbitrary commands through MCP adapter configuration passed directly to StdioServerParameters
• GPT Researcher (CVE-2025-65720): Crafted HTML page triggers command execution and spawns a reverse shell on machines running gpt-researcher locally, via malicious MCP configuration entered through the unauthenticated UI
• LiteLLM (CVE-2026-30623): Authenticated RCE — users can add MCP servers via JSON configuration with arbitrary command/args values that execute on the host without validation
• Agent Zero 0.9.8 (CVE-2026-30624): External MCP Servers configuration accepts arbitrary command and args values in JSON, executed without sufficient validation
• LangBot (unassigned): Authenticated RCE via MCP Server Configuration — StdioServerParameters executes user-supplied commands as subprocesses without sanitization
• Fay Digital Human Framework (CVE-2026-30618): Unauthenticated RCE via MCP adapter configuration in faymcp/mcp_client.py
• Two additional undisclosed products are affected with critical-severity RCE via the same attack pattern
• The root cause: Anthropic's MCP SDK passes user-supplied command and arguments to StdioServerParameters without sanitization, executing them as OS subprocesses

Why It Matters

Every platform in the advisory allows users to configure MCP servers through a UI or API, and all of them pass configuration values directly to OS-level subprocess execution. This means any user with access to the MCP configuration screen — authenticated or, in some cases, unauthenticated — can achieve full system compromise. The pattern is systemic: the official MCP SDK's StdioServerParameters is designed for flexibility, not security, and downstream projects inherited the risk without independent review. As AI agents proliferate across enterprises, MCP server misconfigurations become a direct path to RCE on AI infrastructure.

What To Do

• Update immediately if you run LangFlow, LiteLLM, Agent Zero, GPT Researcher, LangBot, or Fay — check for vendor patches
• Restrict MCP configuration access — ensure only trusted administrators can add or modify MCP server configurations
• Sandbox MCP server processes — isolate them in containers with minimal privileges and no outbound network access
• Audit your MCP inventory — catalog every MCP server in your AI stack and verify input validation at configuration time
• Treat MCP configuration endpoints as security-sensitive — they execute OS commands; apply the same controls you'd use for admin consoles
• Monitor for suspicious MCP process spawns — unexpected shells or outbound connections from MCP server processes indicate compromise

Sources:

• OX Security — MCP Supply Chain Advisory: RCE Vulnerabilities Across the AI Ecosystem
• OX Security — "The Mother of All AI Supply Chains": Technical Deep Dive
• SecurityWeek — 'By Design' Flaw in MCP Could Enable Widespread AI Supply Chain Attacks