Skip to main content

MCP Registry CVE-2026-45781

| EUVDEUVD-2026-30489 LOW
Not Failing Securely ('Failing Open') (CWE-636)
2026-05-14 security-advisories@github.com GHSA-2v5f-5r6w-p67r
3.5
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 14, 2026 - 22:06 vuln.today
Patch available
May 14, 2026 - 22:02 EUVD
CVE Published
May 14, 2026 - 21:16 nvd
LOW 3.5

DescriptionGitHub Advisory

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry returns HTTP 429, letting any authenticated publisher bind their io.github.<user>/* namespace to OCI images they do not control. internal/validators/registries/oci.go:104-119 fails open on http.StatusTooManyRequests: when the registry's anonymous fetch to the upstream OCI registry is rate-limited, ValidateOCI returns nil and the publish is accepted without ever running the io.modelcontextprotocol.server.name label-match check at lines 122-141. That label check is the only cross-system ownership proof the registry applies to OCI packages - every other registry type (NPM, PyPI, NuGet, MCPB) treats a non-200 upstream response as a hard error. This vulnerability is fixed in 1.7.9.

AnalysisAI

Improper ownership validation in MCP Registry prior to version 1.7.9 allows authenticated publishers to bind io.github.<user>/* namespaces to OCI images they do not control when the upstream OCI registry returns HTTP 429 rate-limit responses. The vulnerability bypasses the label-match ownership proof check, enabling namespace hijacking for users who publish through OCI-based MCP servers. Patch available in version 1.7.9.

Technical ContextAI

The MCP Registry validates OCI package ownership by checking the io.modelcontextprotocol.server.name label on the upstream OCI image. The validation logic in internal/validators/registries/oci.go (lines 104-119) performs an anonymous fetch to the upstream OCI registry; however, it fails open when receiving HTTP 429 (Too Many Requests) responses, returning nil without executing the critical label-match check (lines 122-141). This differs from all other registry types (NPM, PyPI, NuGet, MCPB), which treat non-200 upstream responses as hard errors. CWE-636 (Weak Ownership Validation) describes the root cause: the system skips the only cross-system ownership proof mechanism when rate-limited, allowing any authenticated user to claim ownership of namespaces via OCI images they do not control.

RemediationAI

Upgrade MCP Registry to version 1.7.9 or later immediately. The patch modifies internal/validators/registries/oci.go to treat HTTP 429 responses from the upstream OCI registry as hard errors (consistent with other registry types), forcing the label-match check to execute before accepting namespace bindings. No workarounds are available for unpatched versions; the vulnerability is inherent to the validation logic. Organizations unable to upgrade immediately should implement upstream controls: restrict OCI image binding for io.github.* namespaces to a verified allowlist of publishers, or temporarily disable OCI-based MCP server publishing until 1.7.9 is deployed. See vendor advisory at https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-2v5f-5r6w-p67r for confirmation.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-45781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy