CVE-2026-45781
Description
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry returns HTTP 429, letting any authenticated publisher bind their io.github./* namespace to OCI images they do not control. internal/validators/registries/oci.go:104-119 fails open on http.StatusTooManyRequests: when the registry's anonymous fetch to the upstream OCI registry is rate-limited, ValidateOCI returns nil and the publish is accepted without ever running the io.modelcontextprotocol.server.name label-match check at lines 122-141. That label check is the only cross-system ownership proof the registry applies to OCI packages — every other registry type (NPM, PyPI, NuGet, MCPB) treats a non-200 upstream response as a hard error. This vulnerability is fixed in 1.7.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OCI ownership validation in MCP Registry fails open on HTTP 429, allowing authenticated publishers to claim arbitrary Docker Hub images under their namespace.
Vulnerability
The MCP Registry prior to version 1.7.9 contains a logic flaw in internal/validators/registries/oci.go (lines 104–119) where the ValidateOCI function returns nil (success) when the upstream OCI registry responds with HTTP 429 Too Many Requests [1][2]. This bypasses the io.modelcontextprotocol.server.name label-match check at lines 122–141, which is the only cross-system ownership proof for OCI packages. Other registry types (NPM, PyPI, NuGet, MCPB) treat any non-200 response as a hard error [1].
Exploitation
An authenticated publisher can exploit the fail-open behavior by first exhausting the registry's shared anonymous Docker Hub rate limit (100 manifest pulls per 6 hours per egress IP) [1]. The production NGINX rate limit allows 180 publishes per minute per source IP, so a single attacker can exhaust the quota in roughly 33 seconds [1]. The attacker then submits a publish request with a packages[].identifier pointing to a Docker Hub image they do not own. The validator hits the 429 fail-open branch, returns nil, and the registry stores a record under the attacker's namespace claiming the unrelated image [1][2]. The trigger can also occur organically when Docker Hub rate-limits the registry's egress IP during normal traffic [1].
Impact
A successful attack allows an authenticated publisher to bind their io.github./* namespace to any public OCI image on Docker Hub without proving ownership [1][2]. MCP clients that rely on the registry to discover MCP servers may be directed to a malicious or unintended server payload, leading to potential supply-chain confusion or misdirection. The impact is limited to OCI packages; other registry types are not affected [1].
Mitigation
The vulnerability is fixed in version 1.7.9 of the MCP Registry [1][2][3]. No workaround is documented. The fix ensures that a non-200 upstream response (including 429) is treated as a hard error, consistent with other registry types [1]. The registry maintainers have released the patch; users should upgrade to 1.7.9 or later. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.