CVE-2026-44428: CWE-918: Server-Side Request Forgery (SSRF) in modelcontextprotocol registry
CVE-2026-44428 is a Server-Side Request Forgery (SSRF) vulnerability in the modelcontextprotocol (MCP) registry versions prior to 1. 7. 6. The issue arises because the GitHub OIDC token audience string is globally fixed rather than bound to a specific registry instance. This allows a token obtained from one MCP registry deployment to be accepted by any other deployment sharing the same code and audience string. The vulnerability is rated as low severity with a CVSS score of 2. 1 and is fixed in version 1. 7. 6.
AI Analysis
Technical Summary
The MCP Registry provides clients with a list of MCP servers. Before version 1.7.6, the GitHub OIDC flow for both client and server sides uses a fixed global audience string ('mcp-registry') when requesting and validating ID tokens. This design flaw means that tokens obtained legitimately from one MCP registry instance can be reused to gain publish permissions on other MCP registry instances running the same codebase, due to the lack of audience binding to specific registry URLs. This cross-instance token acceptance constitutes a Server-Side Request Forgery (CWE-918) vulnerability. The issue is resolved in MCP Registry version 1.7.6 by properly binding the audience to the specific registry instance.
Potential Impact
An attacker with a valid token from one MCP registry deployment can use it to interact with other MCP registry deployments that share the same code and audience string. This could lead to unauthorized publish permissions on those other deployments. The CVSS score of 2.1 indicates a low severity impact, reflecting limited exploitability and impact scope. There are no known exploits in the wild.
Mitigation Recommendations
This vulnerability is fixed in MCP Registry version 1.7.6. Users should upgrade to version 1.7.6 or later to ensure proper audience binding in the GitHub OIDC flow and prevent token reuse across registry instances. Patch status is not explicitly stated beyond the fixed version; therefore, upgrading to 1.7.6 is the recommended remediation. No additional vendor advisory content is available to indicate alternative mitigations or temporary fixes.
CVE-2026-44428: CWE-918: Server-Side Request Forgery (SSRF) in modelcontextprotocol registry
Description
CVE-2026-44428 is a Server-Side Request Forgery (SSRF) vulnerability in the modelcontextprotocol (MCP) registry versions prior to 1. 7. 6. The issue arises because the GitHub OIDC token audience string is globally fixed rather than bound to a specific registry instance. This allows a token obtained from one MCP registry deployment to be accepted by any other deployment sharing the same code and audience string. The vulnerability is rated as low severity with a CVSS score of 2. 1 and is fixed in version 1. 7. 6.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The MCP Registry provides clients with a list of MCP servers. Before version 1.7.6, the GitHub OIDC flow for both client and server sides uses a fixed global audience string ('mcp-registry') when requesting and validating ID tokens. This design flaw means that tokens obtained legitimately from one MCP registry instance can be reused to gain publish permissions on other MCP registry instances running the same codebase, due to the lack of audience binding to specific registry URLs. This cross-instance token acceptance constitutes a Server-Side Request Forgery (CWE-918) vulnerability. The issue is resolved in MCP Registry version 1.7.6 by properly binding the audience to the specific registry instance.
Potential Impact
An attacker with a valid token from one MCP registry deployment can use it to interact with other MCP registry deployments that share the same code and audience string. This could lead to unauthorized publish permissions on those other deployments. The CVSS score of 2.1 indicates a low severity impact, reflecting limited exploitability and impact scope. There are no known exploits in the wild.
Mitigation Recommendations
This vulnerability is fixed in MCP Registry version 1.7.6. Users should upgrade to version 1.7.6 or later to ensure proper audience binding in the GitHub OIDC flow and prevent token reuse across registry instances. Patch status is not explicitly stated beyond the fixed version; therefore, upgrading to 1.7.6 is the recommended remediation. No additional vendor advisory content is available to indicate alternative mitigations or temporary fixes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-06T14:40:00.953Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0643eeec166c07b0159681
Added to database: 5/14/2026, 9:51:42 PM
Last enriched: 5/14/2026, 10:06:52 PM
Last updated: 5/14/2026, 11:02:44 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.