Unpatched AI flaw poses risk to banking sector

• Key insight: Security researchers highlighted an architectural flaw in Anthropic’s Model Context Protocol that the company has declined to patch.
• What’s at stake: U.S. banks utilizing this protocol for agentic AI take on the third-party cybersecurity risk, regardless of Anthropic’s actions.
• Supporting data: OX Security estimates there are up to 200,000 vulnerable instances of the affected code in total.

Overview bullets generated by AI with editorial review

Processing Content

Security researchers at OX Security said last week that Anthropic’s fast-spreading standard for connecting AI agents to tools that help these agents complete tasks contains an architectural flaw, and Anthropic has declined to patch it.

OX published its research on April 15, documenting how the Model Context Protocol’s default “stdio” setup (the mechanism Anthropic’s own specification recommends for common use cases) can create a channel for running attacker code on the host machine.

The vulnerability matters for U.S. banks looking to build agentic AI tools because MCP is the standard connection developers use to enable AI agents to take actions on internal and external systems.

JPMorganChase, Citi and BNY have all said they are laying the groundwork for agentic-AI systems, the category of software MCP is designed to connect.

Under 2023 guidance issued by bank regulators on third-party risk management, a bank’s reliance on a vulnerable outside protocol doesn’t diminish its own responsibility for safe-and-sound operations. So banks that use MCP own the risk, regardless of what Anthropic chooses to fix.

Anthropic has not yet responded to a request for comment on the research.

OX reports more than 150 million downloads of affected code, roughly 7,000 publicly accessible vulnerable servers, and “up to 200,000 vulnerable instances in total,” the company’s estimate of all vulnerable instances, whether connected to the internet or not.

The risks of MCP’s design are not new. Researchers at Snyk Labs, JFrog and Oligo Security disclosed variants of the same underlying flaw as early as last year, and Anthropic’s own security best practices document already lists arbitrary code execution among known stdio dangers.

What OX’s report adds is measurement of how widely the flaw propagates and showing working exploits on live production platforms rather than theoretical ones.

Anthropic’s position has been consistent throughout. The company has called the stdio behavior “expected,” according to OX, and maintains that securing user input is the developer’s responsibility. In the context of banking, that means the bank’s responsibility.

What the flaw is

MCP includes a built-in mechanism called “stdio” that lets an AI agent launch a local program by specifying a command.

In the code Anthropic published, that configuration flows straight through to a highly privileged operating-system call.

This privilege means that, if the developer wants to let the agent run a Python program, it can run. It also means that if an attacker slips in a command to delete all the files on the computer, that command also runs.

OX itself demonstrated four families of working exploits that abuse this flaw, including successful command execution on six live production platforms.

In one, the firm bypassed validation controls in a so-called “hardened” environment. In another — a so-called “prompt injection” attack — hidden instructions in web content pushed an AI coding tool to rewrite its own configuration and run attacker code.

The research yielded ten CVEs, which are public entries in a common catalog of software vulnerabilities.

MCP is not the only affected project. Others include LiteLLM, IBM-owned LangFlow, LangChain-Chatchat, Flowise and the Windsurf AI coding environment — all different types of AI agent software.

They are vulnerable because they integrate Anthropic’s MCP code and pass user input directly into the same stdio function, inheriting the underlying flaw, according to OX.

Some of these projects have patched their specific implementations of MCP, but the root pattern in Anthropic’s own code has not been fixed.

Anthropic’s position, according to OX, is that the stdio mechanism represents a secure default and that keeping unsafe user input from reaching it is the developer’s responsibility.

Anthropic’s published MCP security best practices address the stdio command-injection pattern only by urging client applications to show consent dialogs and sandbox servers, not by changing the underlying code.

In June 2025, Anthropic did patch a closely related flaw in its MCP Inspector developer tool after researchers at Oligo Security disclosed it. The vulnerability is tracked publicly as CVE-2025-49596 and rated critical.

Anthropic has patched other MCP bugs, and it patches specific tools, but not the underlying code it ships to developers.

Banks are already building on similar technology

Grasshopper Bank in New York uses Anthropic’s model context protocol. JPMorganChase’s in-house generative-AI platform, LLM Suite, now reaches more than 200,000 employees. The bank’s own technology blog, posted after American Banker named LLM Suite 2025 Innovation of the Year, describes the next phase as combining generative AI with workflows to create “AI agents that can carry out a series of actions to complete a goal.”

One of the most common means by which AI agents take actions is through MCP, although the banks building agentic AI solutions have not specifically said whether they use MCP or a different protocol.

FinRegLab, an independent nonprofit research organization, said in a September market scan of agentic AI in financial services that MCP has a standardized communication framework that allows agentic systems to reach internal and external data sources.

Additionally, the Bank of England’s Artificial Intelligence Consortium minutes from October 2025 discuss MCP by name, citing contagion risks where “agentic workflows and still-evolving interoperability protocols could accelerate the spread of flawed updates or misaligned actions across interconnected systems.”

No U.S. banking regulator has made a comparable statement on the record.

The bank owns the risk

Interagency guidance issued in 2023 jointly by the Federal Reserve, FDIC and OCC is unambiguous about who answers for outside infrastructure in banks’ third-party relationships.

“A banking organization’s use of third parties does not diminish its responsibility” for safe and sound operations, the guidance said. The principle applies whether the third party is a fintech vendor, a cloud provider or a protocol maintainer.

The Treasury Department has been pressing on AI cybersecurity since 2024. Its March 2024 report, “Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector,” established AI-specific cyber risks as a sector-wide priority.

Under Secretary for Domestic Finance Nellie Liang said in Treasury’s announcement that AI was “redefining cybersecurity and fraud” in financial services.

In February, Treasury announced the conclusion of the Artificial Intelligence Executive Oversight Group, publishing six resources for AI cybersecurity developed with industry and with state and federal regulators.

PNC Chairman and CEO William S. Demchak, an executive member of the group, said in Treasury’s announcement that the work helps institutions “harness the full power of this transformative technology.”

The OCC’s Fall 2025 Semiannual Risk Perspective flagged cybersecurity and third-party risk management among its ongoing concerns.

Its 2025 Cybersecurity and Financial System Resilience Report notes that threat actors “continue to exploit publicly known software vulnerabilities” at banks and their service providers.

An MCP-based incident at a U.S. bank could plausibly trigger the federal banking agencies’ 36-hour computer-security incident notification rule, regardless of what Anthropic thinks about the root cause.

The gap, and what closes it

U.S. banking regulators’ silence on MCP is unlikely to persist. Fewer than 10% of banks currently run AI on critical production workloads, and 96% of surveyed respondents identified regulatory and compliance challenges as key roadblocks, according to research from Capgemini.

As pilots move into production over the next 18 to 36 months, sector-specific scrutiny of agentic-AI infrastructure becomes harder to avoid.

What would actually close the root flaw, OX argues, is a single change at the root code level. This would involve restricting which commands can run to a pre-approved list, which would propagate protection to every project downstream.

For bank risk committees now answering for MCP exposure under third-party rules already on the books, the open question is whether specific enough pressure from U.S. regulators, from a chief information security officer willing to speak on the record, or from a material cyber incident will push Anthropic to make a fix before a bank finds out what one of these exploits looks like in production.