CVE-2026-44428
MCP Registry: GitHub OIDC tokens replayable across registry deployments due to shared audience
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.6, the client-side and server-side GitHub OIDC flow is bound only to a global audience string, not to the specific registry instance being targeted. On the client side, the publisher always appends audience=mcp-registry when requesting the GitHub Actions ID token, regardless of the selected --registry URL. On the server side, the exchange endpoint validates only that same fixed audience and then derives publish permissions directly from repository_owner. As a result, a token legitimately obtained while interacting with one registry deployment remains acceptable to any other deployment that shares the same code and audience string. This vulnerability is fixed in 1.7.6.
| CWE | CWE-918 |
| Vendor | modelcontextprotocol |
| Product | registry |
| Published | May 14, 2026 |
Get instant alerts for modelcontextprotocol registry
Be the first to know when new unknown vulnerabilities affecting modelcontextprotocol registry are published โ delivered to Slack, Telegram or Discord.