Vulnerability in MCP Registry Affects Network Security
CVE-2026-44430

6.3MEDIUM

Key Information:

Vendor: Modelcontextprotocol
Status: Registry
Vendor: CVE Published:; 14 May 2026

🔔 Create Modelcontextprotocol Vulnerability Alert

What is CVE-2026-44430?

The MCP Registry, serving as a directory for MCP clients to locate MCP servers, has a vulnerability that affects its ability to securely validate public-key files from specified domains. Prior to version 1.7.7, its namespace verification system could be bypassed by exploiting limitations in the blocklist, which relies mainly on standard Go libraries for determining private and internal IP addresses. This negligence does not accommodate IPv6 tunneling methods like 6to4 and NAT64, which could allow attackers to leverage misconfigured environments. The issue was addressed in the 1.7.7 release, enhancing the Registry's security posture.

Affected Version(s)

registry < 1.7.7

References

https://github.com/modelcontextprotocol/registry/security...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44430 Data

JSON