CVE-2026-44427

UNKNOWN 0.0

MCP Registry: Open Redirect

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. From 1.1.0 to 1.7.4, the TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path (e.g., //evil.com/) that, after trailing slash removal, results in a Location header of //evil.com — which browsers interpret as an absolute URL to an external domain. This vulnerability is fixed in 1.7.5.

CWE	CWE-601
Vendor	modelcontextprotocol
Product	registry
Published	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for modelcontextprotocol registry

Be the first to know when new unknown vulnerabilities affecting modelcontextprotocol registry are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

modelcontextprotocol / registry

>= 1.1.0, < 1.7.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-v8vw-gw5j-w7m6