MCP Registry: OCI validator skips ownership check on upstream rate limits — CVE-2026-45781
GitHub · GitHub · CVE-2026-45781
ID
CVE-2026-45781
CVE-2026-45781
Date
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
low
low
CVSS
3.5
3.5
EPSS
0.00029
0.00029
Summary
# OCI ownership validation fails open on upstream rate limits, allowing attacker to claim arbitrary public OCI images under their own namespace Severity: Low (re-scored post-triage; see Maintainer triage note below) Affected: `modelcontextprotocol/registry` main branch at commit `fe0cb3b` (current HEAD as of 2026-05-09). Live deployment: `https://registry.modelcontextprotocol.io` (per repo README). Route: GitHub…
Product
go: github.com/modelcontextprotocol/registry
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.