CVE-2026-44430

medium

Published 2026-05-14 · Modified 2026-05-15

CVSS v3

4.0

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

CVSS v2

—

VIR risk

4.0

Description

MCP Registry has an unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist

Predictions

Exploit likelihood

50%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-r48c-v28r-pf6v

Package impact

Ecosystem	Package	Vulnerable	Fixed
Go	github.com/modelcontextprotocol/registry	`<1.7.7`	`1.7.7`
GO	github.com/modelcontextprotocol/registry	`< 1.7.7`	`1.7.7`

Application impact

Vendor	Product	Versions	Fixed
lfprojects	mcp_registry	`{"endExcluding":"1.7.7"}`	`1.7.7`

References

https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-r48c-v28r-pf6v
https://nvd.nist.gov/vuln/detail/CVE-2026-44430
https://github.com/modelcontextprotocol/registry/pull/1250
https://github.com/modelcontextprotocol/registry/commit/f5f40bd98084466eaf18fe48ea62a0d534caa774
https://github.com/modelcontextprotocol/registry
https://github.com/modelcontextprotocol/registry/releases/tag/v1.7.7
https://github.com/advisories/GHSA-r48c-v28r-pf6v

CWEs

CWE-918

Verify integrity in audit chain (admin only). AS-IS.