CVE-2026-44430: CWE-918: Server-Side Request Forgery (SSRF) in modelcontextprotocol registry
CVE-2026-44430 is a Server-Side Request Forgery (SSRF) vulnerability in the modelcontextprotocol (MCP) registry prior to version 1. 7. 7. The MCP Registry provides clients with a list of MCP servers and performs HTTP-based namespace verification by fetching public-key files from publisher-supplied domains. The vulnerability arises because the blocklist used to prevent dialing private/internal IP addresses does not cover certain IPv6 address ranges (6to4, NAT64, and deprecated site-local addresses) that can tunnel to internal or cloud metadata services. This gap allows an attacker to bypass the IP blocklist and potentially access internal resources. The issue is fixed in version 1. 7. 7. The CVSS 4.
AI Analysis
Technical Summary
The MCP Registry's HTTP namespace verification mechanism uses a blocklist to prevent SSRF attacks by refusing connections to private/internal IP addresses. However, the blocklist relies on Go standard library functions and a manual CGNAT range that do not account for IPv6 6to4 (2002::/16), NAT64 (64:ff9b::/96 and 64:ff9b:1::/48), or deprecated site-local (fec0::/10) address ranges. These IPv6 ranges can encode arbitrary IPv4 addresses and tunnel requests to internal or cloud metadata services on dual-stack or NAT64-enabled hosts. This incomplete filtering allows an attacker to bypass the blocklist and perform SSRF attacks. The vulnerability is resolved in MCP Registry version 1.7.7.
Potential Impact
An attacker can exploit this vulnerability to bypass IP address blocklists during HTTP namespace verification and make the MCP Registry server send requests to internal or cloud metadata services that should be inaccessible. This could lead to unauthorized access to sensitive internal resources or metadata information. The CVSS score of 6.3 reflects a medium severity impact with network attack vector and no privileges required.
Mitigation Recommendations
This vulnerability is fixed in modelcontextprotocol registry version 1.7.7. Users should upgrade to version 1.7.7 or later to remediate this issue. No official patch or temporary fix is indicated beyond upgrading. Since this is not a cloud service, remediation depends on applying the vendor fix. Patch status is confirmed by the vendor advisory stating the issue is fixed in 1.7.7.
CVE-2026-44430: CWE-918: Server-Side Request Forgery (SSRF) in modelcontextprotocol registry
Description
CVE-2026-44430 is a Server-Side Request Forgery (SSRF) vulnerability in the modelcontextprotocol (MCP) registry prior to version 1. 7. 7. The MCP Registry provides clients with a list of MCP servers and performs HTTP-based namespace verification by fetching public-key files from publisher-supplied domains. The vulnerability arises because the blocklist used to prevent dialing private/internal IP addresses does not cover certain IPv6 address ranges (6to4, NAT64, and deprecated site-local addresses) that can tunnel to internal or cloud metadata services. This gap allows an attacker to bypass the IP blocklist and potentially access internal resources. The issue is fixed in version 1. 7. 7. The CVSS 4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The MCP Registry's HTTP namespace verification mechanism uses a blocklist to prevent SSRF attacks by refusing connections to private/internal IP addresses. However, the blocklist relies on Go standard library functions and a manual CGNAT range that do not account for IPv6 6to4 (2002::/16), NAT64 (64:ff9b::/96 and 64:ff9b:1::/48), or deprecated site-local (fec0::/10) address ranges. These IPv6 ranges can encode arbitrary IPv4 addresses and tunnel requests to internal or cloud metadata services on dual-stack or NAT64-enabled hosts. This incomplete filtering allows an attacker to bypass the blocklist and perform SSRF attacks. The vulnerability is resolved in MCP Registry version 1.7.7.
Potential Impact
An attacker can exploit this vulnerability to bypass IP address blocklists during HTTP namespace verification and make the MCP Registry server send requests to internal or cloud metadata services that should be inaccessible. This could lead to unauthorized access to sensitive internal resources or metadata information. The CVSS score of 6.3 reflects a medium severity impact with network attack vector and no privileges required.
Mitigation Recommendations
This vulnerability is fixed in modelcontextprotocol registry version 1.7.7. Users should upgrade to version 1.7.7 or later to remediate this issue. No official patch or temporary fix is indicated beyond upgrading. Since this is not a cloud service, remediation depends on applying the vendor fix. Patch status is confirmed by the vendor advisory stating the issue is fixed in 1.7.7.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-06T14:40:00.954Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a063d1aec166c07b0130143
Added to database: 5/14/2026, 9:22:34 PM
Last enriched: 5/14/2026, 9:37:04 PM
Last updated: 5/14/2026, 11:32:49 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.