Open Redirect Vulnerability in MCP Registry Affects Model Context Protocol
CVE-2026-44427

NONE

Key Information:

Vendor: Modelcontextprotocol
Status: Registry
Vendor: CVE Published:; 14 May 2026

🔔 Create Modelcontextprotocol Vulnerability Alert

What is CVE-2026-44427?

The MCP Registry is susceptible to an open redirect attack due to a flaw in the TrailingSlashMiddleware component. Versions 1.1.0 through 1.7.4 include a vulnerability that allows an attacker to manipulate URLs with protocol-relative paths, resulting in a Location header redirection to an external domain. This enables malicious actors to redirect users to potentially harmful sites while bypassing browser security measures. The issue has been remedied in version 1.7.5, making it imperative for users to update to the latest version to ensure their security.

Affected Version(s)

registry >= 1.1.0, < 1.7.5

References

https://github.com/modelcontextprotocol/registry/security...

x_refsource_CONFIRM

CVSS V4

Score:

Severity:

NONE

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44427 Data

JSON