How MCP Authentication Flaws Enable RCE in Claude Code, Gemini CLI, and More
index
During our security testing, we discovered that connecting to a malicious MCP server via common coding tools like Claude Code and Gemini CLI could give attackers instant control over user computers.
As a preview, here’s a video of us opening the calculator (“popping calc”) on someone’s computer through Claude Code:
“Popping calc” is a harmless way of showcasing remote code execution. The exploits we found can be extended for malicious purposes beyond that, such as invisibly installing a reverse shell or malware.
TL;DR
Earlier this year, MCP introduced an OAuth standard to authenticate clients
Many MCP clients did not validate the authorization URL passed by a malicious MCP server
We were able to exploit this bug to achieve Remote Code Execution (RCE) in popular tools
Evil MCP Server → Sends evil auth URL → Client opens URL → Code execution
... continue reading