Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry returns HTTP 429, letting any authenticated publisher bind their io.github.<user>/* namespace to OCI images they do not control. internal/validators/registries/oci.go:104-119 fails open on http.StatusTooManyRequests: when the registry's anonymous fetch to the upstream OCI registry is rate-limited, ValidateOCI returns nil and the publish is accepted without ever running the io.modelcontextprotocol.server.name label-match check at lines 122-141. That label check is the only cross-system ownership proof the registry applies to OCI packages - every other registry type (NPM, PyPI, NuGet, MCPB) treats a non-200 upstream response as a hard error. This vulnerability is fixed in 1.7.9.
AnalysisAI
Improper ownership validation in MCP Registry prior to version 1.7.9 allows authenticated publishers to bind io.github.<user>/* namespaces to OCI images they do not control when the upstream OCI registry returns HTTP 429 rate-limit responses. The vulnerability bypasses the label-match ownership proof check, enabling namespace hijacking for users who publish through OCI-based MCP servers. Patch available in version 1.7.9.
Technical ContextAI
The MCP Registry validates OCI package ownership by checking the io.modelcontextprotocol.server.name label on the upstream OCI image. The validation logic in internal/validators/registries/oci.go (lines 104-119) performs an anonymous fetch to the upstream OCI registry; however, it fails open when receiving HTTP 429 (Too Many Requests) responses, returning nil without executing the critical label-match check (lines 122-141). This differs from all other registry types (NPM, PyPI, NuGet, MCPB), which treat non-200 upstream responses as hard errors. CWE-636 (Weak Ownership Validation) describes the root cause: the system skips the only cross-system ownership proof mechanism when rate-limited, allowing any authenticated user to claim ownership of namespaces via OCI images they do not control.
RemediationAI
Upgrade MCP Registry to version 1.7.9 or later immediately. The patch modifies internal/validators/registries/oci.go to treat HTTP 429 responses from the upstream OCI registry as hard errors (consistent with other registry types), forcing the label-match check to execute before accepting namespace bindings. No workarounds are available for unpatched versions; the vulnerability is inherent to the validation logic. Organizations unable to upgrade immediately should implement upstream controls: restrict OCI image binding for io.github.* namespaces to a verified allowlist of publishers, or temporarily disable OCI-based MCP server publishing until 1.7.9 is deployed. See vendor advisory at https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-2v5f-5r6w-p67r for confirmation.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-636 – Not Failing Securely ('Failing Open')
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30489
GHSA-2v5f-5r6w-p67r