2 matches found
CVE-2026-45781 MCP Registry: OCI ownership validation fails open on upstream rate limits, allowing attacker-controlled package claims
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry returns HTTP 429, letting any authenticated publisher bind their io.github./ namespace to OCI images the...
CVE-2026-45781
The CVE-2026-45781 issue affects the MCP Registry: before 1.7.9, OCI ownership validation can skip the label-match check when upstream OCI registry responses are HTTP 429. This allows an authenticated publisher to bind their io.github./* namespace to OCI images they do not control because the lab...