CVE-2026-45781

Name of the Vulnerable Software and Affected Versions MCP Registry versions prior to 1.7.9

Description OCI ownership validation fails to perform a label-match check when an upstream OCI registry returns an HTTP 429 (Too Many Requests) error. This occurs because the function ValidateOCI() in the file internal/validators/registries/oci.go fails open during rate-limiting events. Consequently, any authenticated publisher can bind their io.github.<user>/* namespace to OCI images they do not control, bypassing the io.modelcontextprotocol.server.name label-match check, which serves as the sole cross-system ownership proof for OCI packages.

Recommendations Update to version 1.7.9.