CVE-2026-44427

Name of the Vulnerable Software and Affected Versions MCP Registry versions 1.1.0 through 1.7.4

Description The TrailingSlashMiddleware in internal/api/server.go is susceptible to an open redirect. This occurs because the middleware strips trailing slashes from request paths and issues a 308 Permanent Redirect to the cleaned path without validating or sanitizing the resulting path. An attacker can craft a URL using a protocol-relative path (e.g., //evil.com/), which results in a Location header of //evil.com that browsers interpret as an absolute URL to an external domain. This can be leveraged for phishing, malware distribution, and abusing the trust of the official domain.

Recommendations Update to version 1.7.5.