Description
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.6, the client-side and server-side GitHub OIDC flow is bound only to a global audience string, not to the specific registry instance being targeted. On the client side, the publisher always appends audience=mcp-registry when requesting the GitHub Actions ID token, regardless of the selected --registry URL. On the server side, the exchange endpoint validates only that same fixed audience and then derives publish permissions directly from repository_owner. As a result, a token legitimately obtained while interacting with one registry deployment remains acceptable to any other deployment that shares the same code and audience string. This vulnerability is fixed in 1.7.6.
Published: 2026-05-14
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MCP Registry accepts GitHub OIDC tokens that are bound only to a generic audience string (mcp-registry) rather than to a specific registry instance. Consequently, a token obtained while interacting with one registry deployment can be reused when accessing any other deployment that shares the same codebase and audience setting. This flaw, a manifestation of CWE‑918 (Broken Object Token Binding), allows an attacker who controls a repository to publish or modify artifacts in an unintended registry, compromising the integrity of the registry’s contents.

Affected Systems

The vulnerability affects all versions of the MCP Registry from the modelcontextprotocol:registry product that are older than 1.7.6. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 2.1 implies a low severity rating, and no EPSS score is available, suggesting a low to uncertain exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to acquire a valid GitHub Actions ID token for a target repository, which typically requires user-level access or a compromised workflow. Once the token is in possession, it can be replayed against any registry instance that shares the audience string, thereby granting publish permissions that the attacker should not possess. Given the low severity and lack of public exploitation evidence, the immediate risk is moderate but warrants prompt mitigation.

Generated by OpenCVE AI on May 14, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MCP Registry to version 1.7.6 or later to enforce instance‑specific audience validation.
  • Configure each registry deployment with a unique audience string or restrict cross‑deployment communication to isolate instances.
  • Apply the principle of least privilege by ensuring that only trusted repository owners have publish rights and regularly audit ACLs for the registry.

Generated by OpenCVE AI on May 14, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-95c3-6vvw-4mrq MCP Registry's GitHub OIDC tokens are replayable across registry deployments due to shared audience
History

Fri, 15 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mcp Registry
CPEs cpe:2.3:a:lfprojects:mcp_registry:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mcp Registry
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N'}

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.6, the client-side and server-side GitHub OIDC flow is bound only to a global audience string, not to the specific registry instance being targeted. On the client side, the publisher always appends audience=mcp-registry when requesting the GitHub Actions ID token, regardless of the selected --registry URL. On the server side, the exchange endpoint validates only that same fixed audience and then derives publish permissions directly from repository_owner. As a result, a token legitimately obtained while interacting with one registry deployment remains acceptable to any other deployment that shares the same code and audience string. This vulnerability is fixed in 1.7.6.
Title MCP Registry: GitHub OIDC tokens replayable across registry deployments due to shared audience
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Lfprojects Mcp Registry
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T14:22:18.973Z

Reserved: 2026-05-06T14:40:00.953Z

Link: CVE-2026-44428

cve-icon Vulnrichment

Updated: 2026-05-15T14:22:14.790Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T22:16:44.593

Modified: 2026-05-15T17:23:35.580

Link: CVE-2026-44428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T22:30:25Z

Weaknesses