MCP Registry CVE-2026-44427
MEDIUMLifecycle Timeline
3DescriptionCVE.org
Summary
The TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path (e.g., //evil.com/) that, after trailing slash removal, results in a Location header of //evil.com - which browsers interpret as an absolute URL to an external domain.
Details
The TrailingSlashMiddleware strips trailing slashes from request paths and issues a 308 Permanent Redirect to the cleaned path. However, it does not validate or sanitize the resulting path before using it as the redirect target.
When a request is made with a path like //evil.com/, the middleware processes it as follows:
PoC
- Start the registry server locally or identify a deployed instance
- Send a request with a double-slash path followed by an external domain:
curl -v https://<registry-host>//evil.com/ <img width="3066" height="969" alt="image" src="https://github.com/user-attachments/assets/a5305f00-29bf-4708-952a-478d608f2074" />
- Observe the 308 Permanent Redirect response with Location: //evil.com:
- When accessed in a browser, the user is redirected to https://evil.com
Impact
Phishing: Attackers can abuse the trusted registry domain to redirect users to credential-harvesting pages Malware distribution: Redirect users to sites serving malicious downloads Trust abuse: Links originating from the official MCP Registry domain carry implicit trust
AnalysisAI
Open redirect vulnerability in MCP Registry TrailingSlashMiddleware allows remote attackers to craft protocol-relative URLs that bypass path validation, redirecting users from the trusted registry domain to attacker-controlled sites. Affected versions 1.1.0 through 1.7.4 are vulnerable; vendor-released patch available in version 1.7.5. No public exploit code exists at time of analysis, but the vulnerability is trivially exploitable via simple HTTP requests without authentication.
Technical ContextAI
The TrailingSlashMiddleware in internal/api/server.go processes HTTP requests by stripping trailing slashes and issuing 308 Permanent Redirect responses. The flaw exists because the middleware fails to validate that the resulting Location header path does not contain protocol-relative paths (URLs starting with //). When a request path like //evil.com/ is processed, the middleware removes only the trailing slash, leaving //evil.com as the redirect target. Browsers interpret this Location header value as a protocol-relative URL (also called scheme-relative), automatically prepending the request's protocol (http or https) and resolving the domain evil.com. The root cause is insufficient input validation before constructing redirect responses (CWE-601: URL Redirection to Untrusted Site). This affects the Go package github.com/modelcontextprotocol/registry across versions 1.1.0 to 1.7.4.
RemediationAI
Vendor-released patch: upgrade to MCP Registry version 1.7.5 or later. The fix implements input validation in the TrailingSlashMiddleware by rejecting or sanitizing paths that contain protocol-relative patterns (//). The patch PR/commit (1201cbd82b2cf6d4b56edfc05c763059a12f9fdb, merged in PR #1227) also hardens related authentication paths by adding SSRF protections to the IsValidDomain function and safeDialContext. Upgrade instructions and release notes are available at https://github.com/modelcontextprotocol/registry/releases/tag/v1.7.5. Organizations unable to patch immediately should implement network controls to restrict user access to untrusted external redirects, though this is a weak compensating control and does not address the underlying vulnerability. A WAF rule rejecting requests with // in the path is possible but may break legitimate use cases; validation at the application layer (upgrading) is the recommended approach.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-v8vw-gw5j-w7m6