In the last seven days, the Model Context Protocol ecosystem ate two critical disclosures. CVE-2026-39313 — published April 16 — exposed every mcp-framework HTTP server to a single-POST denial-of-service through an unenforced maxMessageSize config. Parallel work from OX Security described a systemic arbitrary-command-execution flaw baked into Anthropic's official MCP SDKs across Python, TypeScript, Java, and Rust — 200+ open-source projects, 150 million downloads, 7,000 public servers, up to 200,000 vulnerable instances in total.
The common thread: MCP treats tools as trusted by default. Agents connect to a server, a server hands back a tool description, the agent acts. Nothing signed. Nothing verified. When the server lies — when its description is rewritten by a malicious maintainer, or its message parser is unbounded, or its command launcher runs the payload regardless of whether the process started — the agent has no basis to refuse.
This is the bet: in the next MCP-style disclosure cycle — and there will be another within 90 days — the services still standing will be the ones that moved from "trust the tool description" to "verify every call, every result, every recipient." MeterCall's bidirectional bridge, L4 router, and attestation signer pattern are the reference implementation.
If you're running MCP servers today, rotate keys, upgrade mcp-framework, and consider putting a Sniper pre-check in front of every outbound call. If you're building new agent infrastructure, ship with signed receipts from day one.