CVE-2026-45781 - Vulnerability Details

Description

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry returns HTTP 429, letting any authenticated publisher bind their io.github.<user>/* namespace to OCI images they do not control. internal/validators/registries/oci.go:104-119 fails open on http.StatusTooManyRequests: when the registry's anonymous fetch to the upstream OCI registry is rate-limited, ValidateOCI returns nil and the publish is accepted without ever running the io.modelcontextprotocol.server.name label-match check at lines 122-141. That label check is the only cross-system ownership proof the registry applies to OCI packages — every other registry type (NPM, PyPI, NuGet, MCPB) treats a non-200 upstream response as a hard error. This vulnerability is fixed in 1.7.9.

Published: 2026-05-14

Score: 3.5 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The MCP Registry failed to validate ownership of OCI images when the upstream registry returned an HTTP 429 Too Many Requests response, allowing any authenticated publisher to bind their io.github.<user>/* namespace to OCI images they do not control. This flaw bypasses the required label‑match check that normally prevents such cross‑system ownership escalation. The impact is that a malicious publisher could claim responsibility for arbitrary OCI images, potentially presenting counterfeit or malicious packages as legitimate.

Affected Systems

The vulnerability affects the MCP Registry application provided by modelcontextprotocol, specifically all releases earlier than version 1.7.9. Users who have not upgraded to 1.7.9 or later are susceptible to this flaw.

Risk and Exploitability

With a CVSS score of 3.5 the flaw is classified as low severity. No EPSS score is available, and it is not listed in the CISA KEV catalog. Exploitation requires a valid authenticated publisher account, and the attacker can exploit the flaw only when the upstream OCI registry is rate‑limited. Once exploited, the attacker can claim any OCI namespace and use it to distribute unwanted or malicious content under the guise of a legitimate publisher.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

modelcontextprotocol

registry

affected

Version	Status	Constraints
`< 1.7.9`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the MCP Registry to version 1.7.9 or later, which contains the fix for this issue.
As a temporary mitigation, disable OCI image publishing for accounts encountering upstream 429 responses until a permanent patch is deployed.
Adjust the upstream OCI registry’s rate‑limiting configuration to reduce the chance of a 429 response during normal operation, mitigating risk of the validation bypass.

Generated by OpenCVE AI on May 14, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-2v5f-5r6w-p67r

History

Thu, 14 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry returns HTTP 429, letting any authenticated publisher bind their io.github.<user>/* namespace to OCI images they do not control. internal/validators/registries/oci.go:104-119 fails open on http.StatusTooManyRequests: when the registry's anonymous fetch to the upstream OCI registry is rate-limited, ValidateOCI returns nil and the publish is accepted without ever running the io.modelcontextprotocol.server.name label-match check at lines 122-141. That label check is the only cross-system ownership proof the registry applies to OCI packages — every other registry type (NPM, PyPI, NuGet, MCPB) treats a non-200 upstream response as a hard error. This vulnerability is fixed in 1.7.9.
Title		MCP Registry: OCI ownership validation fails open on upstream rate limits, allowing attacker-controlled package claims
Weaknesses		CWE-636
References		https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-2v5f-5r6w-p67r
Metrics		cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-14T21:00:49.961Z

Updated: 2026-05-14T21:00:49.961Z

Reserved: 2026-05-13T07:45:21.252Z

Link: CVE-2026-45781

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-14T21:16:48.480

Modified: 2026-05-15T14:44:49.877

Link: CVE-2026-45781

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T23:30:31Z

Weaknesses

CWE-636

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object