Audit your MCP servers
before the attackers do.
According to Ox Security's research, the April 2026 MCP STDIO class of vulnerabilities affects an estimated 200,000 servers with 150M+ downstream package installs. Ten CVEs have been assigned across affected implementations (LiteLLM, Flowise, Windsurf, LibreChat, Cursor, and more). Anthropic’s position — per IT Pro — is that the behavior requires explicit user permission and is not a protocol-level vulnerability. Septim Spire is a $199 one-time CLI scanner that tells you which of your MCP servers are exploitable, why, and the exact config change that hardens each one — without waiting on an upstream fix that isn’t coming.
Launch list open. $0 now. One email with your Stripe link when we ship (~3 weeks).
Anthropic isn’t fixing this.
"It actually lets anyone run any arbitrary OS command … This change didn’t fix anything." — Ox Security research team, on the MCP STDIO architectural RCE
The MCP Standard Input/Output transport has an architectural flaw that allows arbitrary OS command execution on servers running the default configuration. The Ox Security research team disclosed it publicly on April 16, 2026. The Register and Infosecurity Magazine both carried follow-up coverage. As of this writing, Anthropic has declined to patch the issue, classifying the behavior as expected under the current spec.
That leaves every MCP server operator with two options: (1) migrate to an alternative transport (HTTP/SSE) — which requires rebuilding your integration, or (2) harden the STDIO configuration with a specific set of sandbox + input-validation rules that the spec doesn’t mandate but every exposed server needs. Septim Spire exists to make option 2 tractable.
The 12-point audit.
STDIO command injection
The primary vulnerability. Detects input-validation gaps that allow arbitrary command execution.
Transport exposure
Are you running STDIO when you could be on HTTP+SSE with proper auth? Flags servers where migration is cheap.
Subprocess sandbox
Detects spawn-without-jail patterns. Prescribes the specific execve flags.
Input validation
Which arguments reach sh -c unsanitized. Line-level findings.
File-system permissions
Does the MCP server run with write access outside its designated directory?
Environment variable leakage
Subprocess inheriting parent env, leaking API keys / secrets to MCP tool calls.
Tool-permission scope
Tools exposing file system / network / exec when the use case only needs read.
Capability-boundary check
Does a tool do more than its described capability? LLMs trust descriptions; attackers don’t.
Logging gaps
Can you reconstruct what a tool actually did post-incident? Most MCP servers cannot.
Dependency-supply chain
npm downloads + version pins. Flags unpinned deps that could ship a malicious update.
Rate-limit / DoS protection
Unbounded loops, recursive tool calls, fork bombs triggered by a single prompt.
Config hardening generator
After finding issues, outputs a drop-in hardened config for your specific transport + runtime.
One command. Full audit. Local.
Install the CLI
Single binary. Drop into your PATH. No daemon, no telemetry.
Point it at your server(s)
spire audit ./my-mcp-server/ or spire audit --all for every server in your ~/.claude/ config.
Read the report
Line-level findings, severity scores, and exact fix per issue. Not "consider reviewing." Actual patches.
Apply the hardened config
Spire writes a drop-in replacement config you can review + commit. You verify, not us.
Everything runs on your machine. Spire never sends your server code, configs, or findings to us. No cloud dashboard, no vendor lock-in, no ongoing subscription. One binary, one purchase, lifetime updates via the private GitHub repo you get invited to.
The window is open right now.
Three things are true simultaneously as of April 20, 2026: (1) the Ox Security disclosure has ~72 hours of momentum — security teams are scrambling; (2) Anthropic’s "this is expected behavior" response means the fix will not come upstream; (3) there is no tool on the market today that specifically audits MCP servers for this vulnerability class.
Spire ships in 3 weeks. The first 20 buyers lock in $199 lifetime. Standard rate after is $349. If your organization runs any MCP server in production and has a security review on the calendar for Q2, you want to be a founding buyer.
$199 for the first 20. $349 after.
No credit card. No autobill. One email with your Stripe link when we ship. Cancel anytime.
Real questions.
Is Spire a replacement for dedicated SAST or penetration testing?
No. Spire is specifically focused on the MCP attack surface. For broader application security, pair Spire with your existing SAST/pentest workflow. Spire catches what they miss because MCP is a new class they haven’t been tuned for.
Does Spire send my server code to Anthropic or Septim?
No. The audit runs entirely on your machine. No telemetry, no cloud dashboard. You read the report locally.
What if Anthropic patches the vulnerability after I buy?
Your Spire license keeps working. The 12-point audit covers more than just this single CVE-class — it’s a full MCP security posture review. Updates ship via the private GitHub repo you have access to.
Does Spire work on HTTP+SSE MCP servers?
Yes. Of the 12 checks, 9 apply to HTTP+SSE transports too. The STDIO-specific checks are skipped automatically.
Can I use this during a SOC 2 audit?
Spire produces an audit report you can share with your auditors. We are not a SOC 2 service and Spire itself doesn’t make you SOC 2 compliant — but the findings + hardened configs are defensible evidence that you reviewed your MCP attack surface.
When does it ship?
May 2026, approximately 3 weeks from the launch list open. Founding rate ($199) closes when the first 20 seats fill or ship day — whichever comes first.
Is this legal advice on the Anthropic MCP spec?
No. Septim Labs is not a law firm. Spire is a security-audit tool. Read the Ox Security disclosure for the canonical technical writeup.