Skip to main content

MCP Registry CVE-2026-44429

| EUVDEUVD-2026-30487 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-08 https://github.com/modelcontextprotocol/registry GHSA-rqv2-m695-f8j4
5.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
CVSS changed
May 14, 2026 - 21:22 NVD
5.1 (MEDIUM)
Source Code Evidence Fetched
May 08, 2026 - 18:00 vuln.today
Analysis Generated
May 08, 2026 - 18:00 vuln.today
CVE Published
May 08, 2026 - 17:18 nvd
MEDIUM

DescriptionGitHub Advisory

Summary

The public catalogue UI served at GET / (file internal/api/handlers/v0/ui_index.html) is vulnerable to stored cross-site scripting via the server.websiteUrl field of any published server.json. Server-side validation in internal/validators/validators.go (validateWebsiteURL) only checks that the URL parses, is absolute, and uses the https scheme; it does not reject quote characters. Client-side, the value is interpolated into a double-quoted href attribute via innerHTML, using a homegrown escapeHtml helper that performs the standard textContentinnerHTML round-trip. Per the HTML serialisation algorithm, that round-trip encodes only &, <, > and U+00A0 inside text nodes - it does not encode " or '. A literal " in websiteUrl therefore breaks out of the href attribute, allowing arbitrary on* event handlers to be appended to the same <a> element. The Content-Security-Policy on / is script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com, so the injected event handlers execute.

Any user able to obtain a publish token (e.g. via POST /v0/auth/github-at with their own GitHub account, or POST /v0/auth/none on a deployment that has anonymous auth enabled) can plant a poisoned record visible to every visitor of the registry homepage.

Affected component

  • Validator: internal/validators/validators.go - validateWebsiteURL (lines 153-199)
  • Sink: internal/api/handlers/v0/ui_index.html - toggleDetails(card, item) at line 432, the href attribute built around escapeHtml(server.websiteUrl)
  • Helper: escapeHtml defined at internal/api/handlers/v0/ui_index.html lines 494-498

Proof of concept

  1. Obtain a Registry JWT for any namespace you control (a GitHub OAuth exchange against a throwaway account suffices):
bash
   TOKEN=$(curl -sS -X POST https://registry.modelcontextprotocol.io/v0/auth/github-at \
        -H 'Content-Type: application/json' \
        -d '{"github_token":"<gh-pat>"}' | jq -r .registry_token)
  1. Publish a server with a poisoned websiteUrl. The literal " is preserved end-to-end:
bash
   curl -sS -X POST https://registry.modelcontextprotocol.io/v0/publish \
     -H "Authorization: Bearer $TOKEN" \
     -H 'Content-Type: application/json' \
     --data-binary @- <<'EOF'
   {
     "$schema": "https://static.modelcontextprotocol.io/schemas/2025-09-29/server.schema.json",
     "name":  "io.github.<your-account>/xss-poc",
     "version": "0.0.1",
     "description": "hover the website link",
     "websiteUrl": "https://example.com/\"onmouseover=alert(document.domain)//"
   }
   EOF
  1. Visit https://registry.modelcontextprotocol.io/, search for xss-poc, click the card to expand it, then hover the Website link in the details panel. The injected onmouseover fires and alert(document.domain) runs on the registry.modelcontextprotocol.io origin.

Why server-side validation does not catch this

Go's net/url.Parse accepts literal " in the path component:

input="https://example.com/\"onmouseover=alert(1)//"  IsAbs=true  Scheme="https"  Path="/\"onmouseover=alert(1)//"

Neither the Huma format:"uri" annotation nor validateWebsiteURL's scheme/IsAbs triplet rejects this string. The architecture's existing protection - repository.url is regex-locked to ^https?://(www\.)?github\.com/[\w.-]+/[\w.-]+/?$ and therefore cannot contain quotes - does not extend to websiteUrl, which has no allowlist.

Why client-side escapeHtml does not catch this

js
function escapeHtml(text) {
    const div = document.createElement('div');
    div.textContent = text;
    return div.innerHTML;
}

Per the HTML5 spec (§13.3 Serialising HTML fragments), the only characters encoded inside the text content of an element are &, <, >, and U+00A0. " and ' are not encoded because in a text-content context they are not special. The helper is therefore safe in element-text contexts (where it is correctly used for name, version, description, etc.) but unsafe inside an attribute value, which is precisely where it is invoked for href on lines 432 and 426.

Impact

  • Stored XSS on the official MCP Registry homepage. The malicious entry sits in the public catalogue alongside legitimate ones; any user expanding the entry triggers the payload.
  • Because the page is served on the official registry.modelcontextprotocol.io origin, the injected script can:
  • Read and overwrite localStorage (baseUrl, customUrl), pinning the user's subsequent reads to an attacker-controlled "Custom" base URL.
  • Issue any same-origin or cross-origin XHR (connect-src * is granted).
  • Phish for Registry JWTs by injecting fake auth flows on the trusted origin.
  • The CSP script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com does not block this because 'unsafe-inline' permits inline event-handler attributes.

Suggested remediation (any one suffices)

  1. Replace the homegrown escapeHtml with an attribute-safe encoder that also escapes ", ', backtick, and = - the OWASP HTML attribute-encoding rule.
  2. Avoid building the href via string templates. Use setAttribute('href', value) instead - setAttribute is not subject to HTML tokenisation, so no breakout is possible.
  3. Tighten validateWebsiteURL to reject any URL whose raw bytes contain ", ', <, >, , \t, or \n, or - conservatively - store the canonical re-serialised form (parsedURL.String() percent-encodes such characters in the path).
  4. Drop 'unsafe-inline' from script-src after auditing the inline scripts on the page.

Approach (3) is the smallest server-side change and immediately neutralises the exploit for any new publishes; approaches (1) or (2) close the class of bug at the sink so future fields with similar patterns are safe by default.

AnalysisAI

Stored cross-site scripting in MCP Registry's catalogue UI allows any user with a publish token to inject arbitrary event handlers via the websiteUrl field by breaking out of an href attribute with an unescaped double-quote character. The server-side URL validator accepts quotes and the client-side escapeHtml helper fails to encode them in attribute context, enabling attackers to execute JavaScript on the registry.modelcontextprotocol.io origin with access to localStorage, XHR, and auth tokens. Vendor-released patch version 1.7.7 available; actively confirmed via proof-of-concept.

Technical ContextAI

The vulnerability stems from a mismatch between HTML parsing and serialization contexts. The Go net/url.Parse function in internal/validators/validators.go accepts literal double-quotes in URL path components without rejection, and the existing validateWebsiteURL function only checks scheme, absoluteness, and parseability - not RFC 3986 character restrictions. The client-side sink is the homegrown escapeHtml function in internal/api/handlers/v0/ui_index.html (lines 494-498), which performs a textContentinnerHTML round-trip. Per HTML5 serialization spec §13.3, this round-trip encodes only &, <, >, and U+00A0 within text nodes; " and ' are not encoded because they are not special in text-content context. When the escaped value is then interpolated into a double-quoted href attribute via string concatenation on line 432, the literal " breaks the attribute boundary, allowing subsequent characters (e.g., onmouseover=alert(1)//) to be parsed as attribute syntax. The CSP policy script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com explicitly permits 'unsafe-inline', which includes inline event handlers, so the injected payload executes. The attack surface is publisher-controlled via the server.json websiteUrl field, accessible to any user who obtains a Registry JWT through /v0/auth/github-at (GitHub OAuth) or /v0/auth/none (if anonymous auth is enabled). The poisoned entry is then displayed to all visitors of the catalogue UI at GET /.

RemediationAI

Upgrade to MCP Registry version 1.7.7 or later, which implements server-side validation rejecting URLs containing quote characters (", '), angle brackets (<, >), whitespace (space, tab, newline, carriage return), and other problematic characters in the websiteUrl field. The patch adds an explicit character-set check in internal/validators/validators.go that rejects invalid characters and instructs publishers to percent-encode such characters if needed (e.g., %20 for space). The fix is applied via commit 78b7bbde07948049b916d76b4769faee461ff930 and PR #1249. For deployments unable to upgrade immediately, apply compensating controls: (1) Disable the /v0/publish endpoint or restrict it to trusted publishers only via authentication or IP allowlisting, preventing untrusted users from planting poisoned entries. (2) Remove 'unsafe-inline' from the script-src CSP directive after auditing all inline scripts on the page, preventing inline event handlers from executing even if attribute-breakout is achieved. (3) Implement Content-Security-Policy stricter than the current policy, using a nonce-based or hash-based approach for legitimate inline scripts. (4) Use DOM attribute-setting methods (element.setAttribute('href', value)) instead of string interpolation for URL attributes in client-side code, as setAttribute bypasses HTML tokenization. Monitor published entries for suspicious websiteUrl values containing special characters, and remove or revoke access for malicious publishers.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

CVE-2026-44429 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy