MCP Servers Have a Command Execution Problem and OpenAI's GPT-5.5 Codex Users Are Paying for It
MCP servers are shipping with a feature Anthropic calls safe and OX Security calls a vulnerability
OX Security confirmed arbitrary command execution across six live platforms and estimates 200,000 MCP servers are exposed to the same flaw. The issue isn't a bug—it's how the Model Context Protocol was designed. Anthropic calls it a feature. Security researchers call it a risk.
The MCP architecture lets AI agents like Claude Code, Copilot, and Codex execute commands on developer machines through a server interface. That's powerful when it works as intended. It's also a direct path to arbitrary code execution when an attacker can inject commands through the same interface.
OX Security disclosed that three major AI coding agents leaked secrets through a single prompt injection, exploiting the very hooks that MCP uses to orchestrate tasks. The paper trail is thin, but the scope is broad: if you're running an MCP server in a production environment, you're probably exposed.
Anthropic hasn't issued a fix because they don't see it as broken. The protocol assumes trust between the agent and the environment. That assumption doesn't hold up well when agents start running on shared infrastructure or ingesting untrusted input.
OpenAI's GPT-5.5 Codex quota accounting feels broken
Users are reporting that GPT-5.5 Codex drains quota much faster than previous versions, sometimes burning through a day's allocation in a few hours. One developer on the OpenAI forum flagged that the model appears to have a higher "reasoning weight" or different quota logic compared to GPT-5 and earlier releases.
The complaints cluster around two behaviors: Plan Mode pulling in background checks that aren't surfaced to the user, and an expanded context window that silently includes more files than expected. Both can burn tokens fast, but neither is obvious from the UI.
OpenAI's status page also notes that GPT-5.5 rolled out to all paid users this week, which likely means the quota pressure is compounding as more people adopt it. There's no official response yet on whether the accounting is a bug or a deliberate pricing shift dressed as a model upgrade.
On the same forum thread, another user mentioned they've saved 645 million tokens through caching and optimization—a number that sounds impressive until you realize it's the kind of efficiency gain you need just to keep your bill flat under the new model.
OpenAI had a full outage this week and nobody's talking about it
Buried in the status page incident log is a write-up for a full outage that took down the API, ChatGPT, and Sora. The incident is marked "Resolved" now, but the details are sparse. No root cause analysis, no timeline, no commitments beyond "all impacted services have now fully recovered."
There's also a separate note about ChatGPT workspace connectors having their write actions automatically disabled. Admins can manually re-enable them, but the fact that they got flipped off without warning suggests the incident was messier than the one-line summary implies.
If you're building production systems on OpenAI's API, this is the kind of week that reminds you to architect for downtime.
A tiny e-reader wants to live on the back of your phone
TechCrunch reviewed the Xteink X3, a MagSafe-compatible e-ink reader that attaches to the back of your iPhone like a Pop Socket. The pitch is simple: when you pull out your phone, you see a book excerpt instead of Instagram.
The hardware is clever—it's small enough to not add bulk, magnetic enough to stay put, and e-ink so the battery lasts weeks. The software is minimal: sync a book, read a paragraph, flip to the next one when you have a spare minute.
Does it work? Probably for the subset of people who already want to read more and just need a nudge. For everyone else, it's a $79 reminder that the problem isn't the device—it's the dopamine loop on the other side of the screen.