There's a security vulnerability in Anthropic's Model Context Protocol that affects Claude Code, Cursor, Windsurf, VS Code, and Gemini-CLI. Researchers at OX Security published the findings in April. Anthropic's response was, essentially: yes, we know, and it's supposed to work that way. That's the kind of answer that's technically defensible and also completely unsatisfying if you're a developer running one of these tools on your machine. Let me break down what's actually going on. First: What Is MCP? If you haven't been following the protocol wars, here's the short version. MCP — Model Context Protocol — is an open standard Anthropic created to let AI models communicate with external tools. Think of it like a USB standard, but for AI agents connecting to your filesystem, your databases, your APIs. When you're using Claude Code and it reaches out to read a file, query a database, or run a terminal command, MCP is the protocol coordinating that.…