Skip to main content

MCP Registry CVE-2026-44427

MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-05-08 https://github.com/modelcontextprotocol/registry GHSA-v8vw-gw5j-w7m6
Share

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 17:45 vuln.today
Analysis Generated
May 08, 2026 - 17:45 vuln.today
CVE Published
May 08, 2026 - 17:02 nvd
MEDIUM

DescriptionCVE.org

Summary

The TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path (e.g., //evil.com/) that, after trailing slash removal, results in a Location header of //evil.com - which browsers interpret as an absolute URL to an external domain.

Details

The TrailingSlashMiddleware strips trailing slashes from request paths and issues a 308 Permanent Redirect to the cleaned path. However, it does not validate or sanitize the resulting path before using it as the redirect target.

When a request is made with a path like //evil.com/, the middleware processes it as follows:

PoC

  1. Start the registry server locally or identify a deployed instance
  2. Send a request with a double-slash path followed by an external domain:

curl -v https://<registry-host>//evil.com/ <img width="3066" height="969" alt="image" src="https://github.com/user-attachments/assets/a5305f00-29bf-4708-952a-478d608f2074" />

  1. Observe the 308 Permanent Redirect response with Location: //evil.com:
  2. When accessed in a browser, the user is redirected to https://evil.com

Impact

Phishing: Attackers can abuse the trusted registry domain to redirect users to credential-harvesting pages Malware distribution: Redirect users to sites serving malicious downloads Trust abuse: Links originating from the official MCP Registry domain carry implicit trust

AnalysisAI

Open redirect vulnerability in MCP Registry TrailingSlashMiddleware allows remote attackers to craft protocol-relative URLs that bypass path validation, redirecting users from the trusted registry domain to attacker-controlled sites. Affected versions 1.1.0 through 1.7.4 are vulnerable; vendor-released patch available in version 1.7.5. No public exploit code exists at time of analysis, but the vulnerability is trivially exploitable via simple HTTP requests without authentication.

Technical ContextAI

The TrailingSlashMiddleware in internal/api/server.go processes HTTP requests by stripping trailing slashes and issuing 308 Permanent Redirect responses. The flaw exists because the middleware fails to validate that the resulting Location header path does not contain protocol-relative paths (URLs starting with //). When a request path like //evil.com/ is processed, the middleware removes only the trailing slash, leaving //evil.com as the redirect target. Browsers interpret this Location header value as a protocol-relative URL (also called scheme-relative), automatically prepending the request's protocol (http or https) and resolving the domain evil.com. The root cause is insufficient input validation before constructing redirect responses (CWE-601: URL Redirection to Untrusted Site). This affects the Go package github.com/modelcontextprotocol/registry across versions 1.1.0 to 1.7.4.

RemediationAI

Vendor-released patch: upgrade to MCP Registry version 1.7.5 or later. The fix implements input validation in the TrailingSlashMiddleware by rejecting or sanitizing paths that contain protocol-relative patterns (//). The patch PR/commit (1201cbd82b2cf6d4b56edfc05c763059a12f9fdb, merged in PR #1227) also hardens related authentication paths by adding SSRF protections to the IsValidDomain function and safeDialContext. Upgrade instructions and release notes are available at https://github.com/modelcontextprotocol/registry/releases/tag/v1.7.5. Organizations unable to patch immediately should implement network controls to restrict user access to untrusted external redirects, though this is a weak compensating control and does not address the underlying vulnerability. A WAF rule rejecting requests with // in the path is possible but may break legitimate use cases; validation at the application layer (upgrading) is the recommended approach.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-44427 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy