User Beware
A philosophical razor is a principle or rule of thumb that allows one to eliminate – shave off – unlikely explanations for a phenomenon, or avoid unnecessary actions. Hanlon's Razor states that one should never attribute to malice that which can be adequately explained by stupidity. It refers to the idea that people aren’t usually acting in bad faith; they just don’t know what they’re saying and/or how it’s being taken out of context. We all have different experiences, and those shape our perspectives. What’s obvious to one person may not be to another who hasn’t had the same exposure or considered the ramifications. But there is another razor that can be applied to situations: Occam’s. The notion that all things being equal, the explanation with the fewest assumptions is likely to be correct.
Why am I bringing this up today?
The Ox Security Research team has uncovered a widespread, systemic critical vulnerability in Anthropic’s Model Control Protocol (MCP). It grants arbitrary remote command execution in any system with the vulnerability unaddressed. I’ve covered these types of vulnerabilities before, and most are simple flaws or bugs. This is not. This is an architectural design decision across every supported programming language. Which means that any developer using Anthropic’s MCP is subject to this vulnerability.
Ox found four distinct families of exploitation with this flaw, and has laid out in detail what each of them are. Unauthenticated UI Injection in popular AI frameworks. Hardening Bypasses in allegedly protected environments like Flowise. Zero-Click Prompt Injection in leading AI IDEs (Windsurf, Cursor). And Malicious Marketplace Distribution (9 out of 11 MCP registries were successfully ‘poisoned’ with a malicious trial balloon). Many of these have CVE listings, some do not. Every single one of them says the same: RCE vulnerability in nearly every version, with the potential for full system compromise. Of the products affected, Bisheng is scheduled for patching, Upsonic now has a warning on versions higher than 0.72.0, DocsGPT has a patch, and LettaAI has a patch. The rest? The vulnerability remains in place. And those listed in the breakdown are just the ones Ox felt could be publicly mentioned. The scale of this flaw is enormous, with 150M+ downloads, 7,000+ publicly accessible servers, and up to 200,000 vulnerable instances in total, according to Ox.
The team reached out to Anthropic with their findings, and their intention to publish them. Anthropic responded that they would not be modifying the architecture and that this behavior was ‘expected’. Responsibility is in the hands of the users, regardless of their ability to understand what they’re working with. They did not object to the data being published. And here is where the philosophy lesson becomes relevant. We can rule out Hanlon’s Razor; Anthropic cannot claim ignorance. Which leaves Occam’s Razor in play. The ‘flaw’ is deliberate and working as intended. It’s not a bug, it’s a feature.
There is a deep irony here. Anthropic famously turned down a military contract to use drones powered by their own AI because of their fear that the surveillance tech would be turned on US citizens. But they seem to be perfectly content to let other actors exploit their product. Anyone who’s been following me for any length of time has likely gathered my opinion on LLM’s and AI tools (it’s low). The lack of ethical accountability, not to mention a lack of regulatory oversight, is a large part of why.
Before I started writing this report, I took a look at reviews of Anthropic. Their Trustpilot score is 1.5 stars out of five, from 223 reviews. They aren’t alone in this, though. This is comparable to user reviews across the board for OpenAI, ChatGPT and Gemini, as well as Claude. And sure, product reviews are subjective, often of a small sample size, and can be skewed by misunderstanding what a product can actually do. The outlier – at least on Trustpilot – is use.ai, with a score of 4.5 garnered from over 14K reviews. That one is a little more trustworthy, in my opinion, as being an actual overview of the product.
My point is this, however. Users already know AI tools aren’t to be trusted with personal information, functionality or security. All things being equal, the simplest answer is likely to be the right one. And that is the companies making them know this too. And don’t care.
Posted, 4/21/26
















