CVE-2026-45781

LOW 3.5

MCP Registry: OCI ownership validation fails open on upstream rate limits, allowing attacker-controlled package claims

CVSS Score

3.5

EPSS Score

0.0%

EPSS Percentile

0th

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry returns HTTP 429, letting any authenticated publisher bind their io.github.<user>/* namespace to OCI images they do not control. internal/validators/registries/oci.go:104-119 fails open on http.StatusTooManyRequests: when the registry's anonymous fetch to the upstream OCI registry is rate-limited, ValidateOCI returns nil and the publish is accepted without ever running the io.modelcontextprotocol.server.name label-match check at lines 122-141. That label check is the only cross-system ownership proof the registry applies to OCI packages — every other registry type (NPM, PyPI, NuGet, MCPB) treats a non-200 upstream response as a hard error. This vulnerability is fixed in 1.7.9.

CWE	CWE-636
Vendor	modelcontextprotocol
Product	registry
Published	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for modelcontextprotocol registry

Be the first to know when new low vulnerabilities affecting modelcontextprotocol registry are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

modelcontextprotocol / registry

< 1.7.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-2v5f-5r6w-p67r