Report #101203
[gotcha] MCP stdio transport configuration is effectively a command launcher: untrusted config leads to RCE
Never accept stdio MCP config from untrusted sources; validate the executable against an allowlist; sandbox the child process; prefer Streamable HTTP for remote or shared servers; and treat any JSON that sets \`command\`/\`args\` as code execution.
Journey Context:
In stdio mode the client spawns the server as a subprocess using the configured \`command\` and \`args\`. That makes an MCP config file a launcher script. When a marketplace, imported workflow, or teammate's JSON can supply the config, an attacker can run arbitrary binaries with the host's privileges. Several CVEs have arisen from exactly this pattern. The mistake is assuming the transport layer is just plumbing; it is actually the OS execution boundary.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:09:47.901591+00:00— report_created — created