Description
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the Registry's HTTP-based namespace verification (POST /v0/auth/http, POST /v0.1/auth/http) uses safeDialContext (internal/api/handlers/v0/auth/http.go:67-110) to refuse dialling private/internal addresses when fetching the well-known public-key file from a publisher-supplied domain. The blocklist (isBlockedIP, lines 125-133) relies entirely on Go stdlib's IsLoopback / IsPrivate / IsLinkLocalUnicast / IsMulticast / IsUnspecified plus a manual CGNAT range. None of these cover IPv6 6to4 (2002::/16), NAT64 (64:ff9b::/96 and 64:ff9b:1::/48 per RFC 8215), or deprecated site-local (fec0::/10) — all of which encode arbitrary IPv4 in the address bits and tunnel to RFC1918 / cloud-metadata services on dual-stack / NAT64-enabled hosts. This vulnerability is fixed in 1.7.7.
Published: 2026-05-14
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MCP Registry performs HTTP requests during namespace verification to retrieve a public‑key file from publisher‑supplied domains. It intentionally rejects private or internal IPs, but its blocklist misses IPv6 6to4, NAT64, and deprecated site‑local prefixes that encode arbitrary IPv4 addresses. Consequently, an attacker can supply a domain that resolves to one of these special IPv6 addresses, causing the Registry to establish a connection that bypasses the intended private‑address filter. This SSRF allows unauthenticated access to internal or cloud‑metadata services, enabling information disclosure or lateral movement.

Affected Systems

The vulnerability exists in the MCP Registry from modelcontextprotocol versions before 1.7.7, specifically the HTTP‑based namespace verification endpoints POST /v0/auth/http and POST /v0.1/auth/http. Any deployment of the Registry older than 1.7.7 that accepts external publisher domains is affected. The fix is included in release 1.7.7.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity. EPSS is not available, and the issue is not listed in the CISA KEV catalog. The attack requires an attacker to control or influence a publisher domain that resolves to a 6to4, NAT64, or site‑local IPv6 address; the request to the namespace verification endpoint is unauthenticated, so the vulnerability can be exploited from anywhere that can reach the Registry. If the Registry has outbound connectivity to internal networks, the SSRF can reach internal services, which could lead to sensitive data exposure or further exploitation. In environments where the Registry is exposed to untrusted domains, the risk is higher, and organizations should treat this as a moderate‑to‑high likelihood of internal compromise.

Generated by OpenCVE AI on May 14, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MCP Registry to version 1.7.7 or later to apply the fixed blocklist logic.
  • Restrict the Registry's outbound network access to known trusted publisher domains or private IP ranges, preventing unintended connections to internal or cloud‑metadata services.
  • Configure firewall rules to block outbound connections from the Registry to internal network subnets or to known cloud‑metadata service addresses, providing a temporary mitigation while awaiting a patch.

Generated by OpenCVE AI on May 14, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r48c-v28r-pf6v MCP Registry has an unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist
History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mcp Registry
CPEs cpe:2.3:a:lfprojects:mcp_registry:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mcp Registry
Metrics cvssV3_1

{'score': 4.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Thu, 14 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the Registry's HTTP-based namespace verification (POST /v0/auth/http, POST /v0.1/auth/http) uses safeDialContext (internal/api/handlers/v0/auth/http.go:67-110) to refuse dialling private/internal addresses when fetching the well-known public-key file from a publisher-supplied domain. The blocklist (isBlockedIP, lines 125-133) relies entirely on Go stdlib's IsLoopback / IsPrivate / IsLinkLocalUnicast / IsMulticast / IsUnspecified plus a manual CGNAT range. None of these cover IPv6 6to4 (2002::/16), NAT64 (64:ff9b::/96 and 64:ff9b:1::/48 per RFC 8215), or deprecated site-local (fec0::/10) — all of which encode arbitrary IPv4 in the address bits and tunnel to RFC1918 / cloud-metadata services on dual-stack / NAT64-enabled hosts. This vulnerability is fixed in 1.7.7.
Title MCP Registry: Unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Lfprojects Mcp Registry
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T18:05:09.489Z

Reserved: 2026-05-06T14:40:00.954Z

Link: CVE-2026-44430

cve-icon Vulnrichment

Updated: 2026-05-15T15:29:05.288Z

cve-icon NVD

Status : Modified

Published: 2026-05-14T21:16:46.827

Modified: 2026-05-15T19:16:59.647

Link: CVE-2026-44430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T22:30:25Z

Weaknesses