CVE-2026-44430

Name of the Vulnerable Software and Affected Versions MCP Registry versions prior to 1.7.7

Description The MCP Registry contains a Server-Side Request Forgery (SSRF) issue in its HTTP-based namespace verification process. The system uses a function called safeDialContext to prevent connections to private or internal addresses when fetching public-key files from domains provided by publishers. However, the blocklist used by the isBlockedIP() function fails to cover several IPv6 prefix families, including IPv6 6to4 (2002::/16), NAT64 (64:ff9b::/96 and 64:ff9b:1::/48), and deprecated site-local (fec0::/10) addresses. These prefixes can encode arbitrary IPv4 addresses, allowing them to tunnel to internal RFC1918 or cloud-metadata services on dual-stack or NAT64-enabled hosts.

This issue affects the unauthenticated endpoints "/v0/auth/http" and "/v0.1/auth/http". An attacker can trigger the vulnerability by providing a malicious domain via the domain parameter in the request body. Because the dial occurs before signature verification, no credentials are required to exploit this flaw. This can allow an unauthenticated attacker to reach internal services, such as cloud metadata services, Kubernetes API servers, or internal admin panels, and use the server as a blind-SSRF oracle to probe for internal services.

Recommendations Update MCP Registry to version 1.7.7 or later. As a temporary workaround, restrict outbound network access from the registry host to prevent it from reaching internal metadata services or private IPv4 ranges via IPv6 tunneling.