MCP STDIO Transport Runs Commands Before Verifying Server Trust, Researchers Warn
A security flaw in the design of MCP's STDIO transport means a command executes on a user's machine before the client confirms it launched a legitimate MCP server. OX Security published findings in April 2026 after a five-month audit, identifying multiple attack paths including direct command injection, allowlist bypasses, and IDE prompt injection. One confirmed vulnerability, CVE-2026-30615 in Windsurf, allowed attacker-controlled HTML to silently register a malicious MCP server and trigger code execution. OX also tested 11 MCP marketplaces by submitting a rogue package, with nine accepting it, and reported command execution on six live production platforms. Researchers warn that simply allowlisting trusted launchers like npx is insufficient if attacker-controlled arguments are not also validated.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in