A critical remote code execution (RCE) bug in Anthropic’s Model Context Protocol (MCP) inspector tool could allow attackers to run arbitrary commands on developer machines when they visit a malicious website.
MCP inspector is a tool that helps developers test and debug AI agent interactions using Anthropic’s MCP, an open standard that enables AI agents to communicate with external tools and data sources.
The critical vulnerability affects all default deployments of the Inspector tool that bind to all network interfaces, exposing the system by listening on every available connection. This opens the door to a wide range of attacks, including cross-site request forgery (CSRF), remote code execution (RCE), and unauthorized access.
“With code execution on a developer’s machine, attackers can steal data, install backdoors, move laterally across networks-highlighting serious risks for AI teams, open-source projects, and enterprise adopters relying on MCP,” Avi Lumelsky, a security researcher at Oligo security– the cybersecurity firm that first discovered and reported the vulnerability to Anthropic–, said in a blog post.
Anthropic has fixed the vulnerability in its MCP Inspector version 0.14.1.
Open source projects use insecure MCP inspector
To support the MCP ecosystem, developers rely on tools like MCP Inspector that offer real-time visibility into the message flows and agent behaviors governed by the protocol.
“The MCP Inspector tool runs by default when the mcp dev command is executed,” Lumelsky said. “It acts as an HTTP server that listens for connections, with a default setup that does not include sufficient security measures like authentication or encryption.” This misconfiguration introduces a major attack surface, allowing anyone on the local network, or even the public internet, to potentially access and exploit the exposed server.
The MCP inspector is an essential tool for developers working with complex AI systems, including major players like Microsoft and Google for their AI and Cloud environments. A vulnerability affecting open-source deployments poses serious risks to these enterprise systems, Lumelsky added.
As MCP adoption picks up pace, security flaws are starting to emerge, like the bug in Asana’s MCP AI connector that exposed corporate data across tenants. The incident, discovered just a month after launch, underscores the need to reassess the experimental protocol before broader enterprise rollout.
Chained with a legacy flaw for RCE
Oligo demonstrated that the attack vector combines two independent flaws. Attackers could chain the legacy “0.0.0.0-day” browser flaw, which lets web pages send requests to 0.0.0.0 address that browsers treat like localhost, to a CSRF-style attack leveraging the Inspector proxy’s vulnerable “/sse” endpoint that accepts commands via query strings over stdio.
The CSRF can escalate to an RCE when the attacker uses the flaw to dispatch malicious requests. “When an attacker can craft a request to the MCP inspector from a public domain JavaScript context, that request can trigger arbitrary commands on the victim’s machine, effectively gaining control over it,” Lumelsky said.
The Oligo research highlights that default configurations could unintentionally expose MCP servers to attacks, potentially giving threat actors a backdoor into developers’ machines.
While the 0.0.0.0-day remains unpatched in Chromium and Firefox even after a year since discovery, the MCP flaw has been promptly fixed by Anthropic, owing to its critical severity (CVSS 9.4 out of 10). An NVD advisory urges customers to immediately upgrade all vulnerable versions (below 0.14.1).