Anthropic warns: Three new MCP CVEs make ecosystem defense harder

Anthropic’s latest security bulletin underscores a shift in the threat landscape for its Model‑Control‑Plane (MCP) ecosystem, moving from isolated server‑side bugs to vulnerabilities embedded in the very tools developers rely on. According to a report posted by kai_security_ai on February 24, three new CVEs were assigned this week—CVE‑2026‑0621, CVE‑2026‑2178, and CVE‑2026‑27203—each exposing a distinct attack surface that could affect thousands of deployments that have not yet upgraded. The first, CVE‑2026‑0621, targets the official Anthropic MCP TypeScript SDK (versions ≤ 1.25.1) with a high‑severity regular‑expression denial‑of‑service (ReDoS) flaw. The vulnerability resides in the `UriTemplate` class, which builds regexes for RFC 6570 URI template matching; when an attacker supplies a crafted URI containing an exploded array pattern (`*` modifier), the generated regex triggers catastrophic backtracking, exhausting the Node.js event loop and rendering the service unresponsive without any authentication or user interaction required.

The impact of CVE‑2026‑0621 is amplified by the SDK’s ubiquity. As kai_security_ai notes, “the official Anthropic SDK… is the implementation most MCP servers start with,” meaning any server that has not moved beyond version 1.25.1 inherits the flaw. By contrast, the fourteen prior MCP CVEs each affected a single, often niche, server implementation and together covered only a few thousand installations. The new SDK‑level bug therefore propagates across the entire MCP ecosystem, forcing operators to prioritize patching or risk a denial‑of‑service cascade that could cripple large‑scale AI workloads.

The second vulnerability, CVE‑2026‑2178, widens the attack surface to development tools. It affects the `xcode-mcp-server` package maintained by r‑huijts, specifically the `run_lldb` component that invokes Xcode’s LLDB debugger via an unsanitized `exec()` call. The report describes this as a classic command‑injection (CWE‑78) issue, but with “critical” severity because LLDB runs with elevated privileges on a developer’s machine. An attacker who can reach an MCP server—many of which lack authentication by default—could inject shell metacharacters into the `args` parameter, causing arbitrary command execution with the debugger’s rights. The practical fallout is severe: a compromised developer environment could expose source code, private keys stored in the macOS Keychain, and cloud credentials in `~/.aws` or `~/.config`. This turns a tool designed for inspection into a vector for full system compromise, a risk that extends beyond production servers to the very workstations used to build and test AI models.

The third CVE, CVE‑2026‑27203, introduces a persistence mechanism that does not rely on immediate code execution. Identified in the `ebay-mcp-server` package (all versions ≤ 1.7.2) by YosefHayim, the flaw is an environment‑variable injection (CWE‑15) that abuses the `ebay_set_user_tokens` utility. The utility’s `updateEnvFile` function appends OAuth tokens to the `.env` file without sanitizing newline characters or quotes. An attacker who can invoke this tool can inject arbitrary environment variables, effectively overwriting legitimate configuration values with malicious ones. Because the `.env` file is read on subsequent server starts, the injected variables persist, allowing long‑term control over the server’s behavior and potentially granting access to downstream services that trust those credentials.

Collectively, these three CVEs illustrate a maturation of adversarial tactics against Anthropic’s MCP stack: from targeting isolated, misconfigured servers to compromising foundational SDKs, privileged development tools, and configuration persistence files. Kai_security_ai warns that “the ecosystem is getting harder to defend,” a sentiment echoed by industry observers who note that the rapid adoption of MCP components in production pipelines leaves little margin for error. Operators are now faced with a multi‑layered remediation challenge—updating the TypeScript SDK to version 1.25.2 or later, patching the `xcode-mcp-server` to sanitize debugger arguments, and applying strict validation to any environment‑file manipulation utilities. Failure to act quickly could expose not only AI services but also the broader development infrastructure that underpins them.