The MCP Registry acts as a directory for MCP servers. Before version 1.7.6, the GitHub OIDC flow for both client and server sides uses a global audience string ('mcp-registry') rather than a unique audience per registry instance. Clients always request tokens with this fixed audience, and servers validate tokens only against this audience, deriving permissions from repository ownership. Consequently, a token legitimately obtained from one MCP registry deployment can be reused to interact with any other deployment sharing the same codebase and audience string, potentially allowing unauthorized access or actions. This vulnerability is addressed by binding the OIDC flow to the specific registry instance in version 1.7.6.

An attacker with a token from one MCP registry deployment could use it to access or perform actions on other MCP registry deployments that share the same code and audience string. This could lead to unauthorized repository publishing permissions being granted across deployments. However, the overall impact is limited by the low CVSS score (2.1) and the requirement for user interaction to obtain tokens.

Upgrade MCP registry deployments to version 1.7.6 or later, where the GitHub OIDC flow is properly bound to the specific registry instance, preventing token reuse across deployments. Since no official patch link or remediation level is provided beyond this version update, users should verify with the vendor for the latest guidance. Patch status is not explicitly confirmed in the advisory, so check vendor sources for current remediation details.