CVE-2026-45781
CVE-2026-45781 is a low-severity vulnerability with a CVSS 3.x base score of 3.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-636.
Key facts
- Severity: Low (CVSS 3.x base score 3.5)
- EPSS exploit prediction: 0% (11th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-30489
- Weakness: CWE-636
- Published:
- Last modified:
Description
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry returns HTTP 429, letting any authenticated publisher bind their io.github.<user>/* namespace to OCI images they do not control. internal/validators/registries/oci.go:104-119 fails open on http.StatusTooManyRequests: when the registry's anonymous fetch to the upstream OCI registry is rate-limited, ValidateOCI returns nil and the publish is accepted without ever running the io.modelcontextprotocol.server.name label-match check at lines 122-141. That label check is the only cross-system ownership proof the registry applies to OCI packages — every other registry type (NPM, PyPI, NuGet, MCPB) treats a non-200 upstream response as a hard error. This vulnerability is fixed in 1.7.9.
Frequently asked questions
- What is CVE-2026-45781?
- The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry returns HTTP 429, letting any authenticated publisher bind their io.github.<user>/* namespace to OCI images they do not control. internal/validators/registries/oci.go:104-119 fails open on http.StatusTooManyRequests: when the registry's anonymous fetch to the upstream OCI registry is rate-limited, ValidateOCI returns nil and the publish is accepted without ever running the io.modelcontextprotocol.server.name label-match check at lines 122-141. That label check is the only cross-system ownership proof the registry applies to OCI packages — every other registry type (NPM, PyPI, NuGet, MCPB) treats a non-200 upstream response as a hard error. This vulnerability is fixed in 1.7.9.
- How severe is CVE-2026-45781?
- CVE-2026-45781 has a CVSS 3.x base score of 3.5, rated low severity. It is exploitable over network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2026-45781 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (11th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-45781?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-45781 have an EU (EUVD) identifier?
- Yes. CVE-2026-45781 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-30489.
- When was CVE-2026-45781 published?
- CVE-2026-45781 was published on 2026-05-14 and last updated on 2026-06-17.
References
Other CWE-636 vulnerabilities
- CVE-2026-22034 — Critical (CVSS 9.8): Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a…
- CVE-2024-3729 — Critical (CVSS 9.8): The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption exception handling…
- CVE-2026-40525 — Critical (CVSS 9.1): OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route…
- CVE-2024-43532 — High (CVSS 8.8): Remote Registry Service Elevation of Privilege Vulnerability
- CVE-2025-54870 — High (CVSS 8.7): VTun-ng is a Virtual Tunnel over TCP/IP network. In versions 3.0.17 and below, failure to initialize encryption modules…
- CVE-2026-54762 — High (CVSS 8.6): Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity…