CVE-2026-44430— MCP Registry: Unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44430
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MCP Registry: Unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist
Source: NVD (National Vulnerability Database)
Vulnerability Description
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the Registry's HTTP-based namespace verification (POST /v0/auth/http, POST /v0.1/auth/http) uses safeDialContext (internal/api/handlers/v0/auth/http.go:67-110) to refuse dialling private/internal addresses when fetching the well-known public-key file from a publisher-supplied domain. The blocklist (isBlockedIP, lines 125-133) relies entirely on Go stdlib's IsLoopback / IsPrivate / IsLinkLocalUnicast / IsMulticast / IsUnspecified plus a manual CGNAT range. None of these cover IPv6 6to4 (2002::/16), NAT64 (64:ff9b::/96 and 64:ff9b:1::/48 per RFC 8215), or deprecated site-local (fec0::/10) — all of which encode arbitrary IPv4 in the address bits and tunnel to RFC1918 / cloud-metadata services on dual-stack / NAT64-enabled hosts. This vulnerability is fixed in 1.7.7.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| modelcontextprotocol | registry | < 1.7.7 | - |
II. Public POCs for CVE-2026-44430
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44430
请登录查看更多情报信息。
Same Patch Batch · modelcontextprotocol · 2026-05-14 · 6 CVEs total
| CVE-2026-42559 | 8.8 HIGH | RMCP: DNS rebinding vulnerability in rmcp Streamable HTTP server transport |
| CVE-2026-45781 | 3.5 LOW | MCP Registry: OCI ownership validation fails open on upstream rate limits, allowing attack |
| CVE-2026-44429 | MCP Registry: Stored XSS in catalogue UI via attribute-quote breakout in publisher-control | |
| CVE-2026-44427 | MCP Registry: Open Redirect | |
| CVE-2026-44428 | MCP Registry: GitHub OIDC tokens replayable across registry deployments due to shared audi |
IV. Related Vulnerabilities
Same vendor: modelcontextprotocol
- CVE-2026-44428
MCP Registry: GitHub OIDC tokens replayable across registry - CVE-2026-44427
MCP Registry: Open Redirect - CVE-2026-44429
MCP Registry: Stored XSS in catalogue UI via attribute-quote - CVE-2026-45781
MCP Registry: OCI ownership validation fails open on upstrea - CVE-2026-42559
RMCP: DNS rebinding vulnerability in rmcp Streamable HTTP se
Same weakness: CWE-918
- CVE-2026-44428
MCP Registry: GitHub OIDC tokens replayable across registry - CVE-2026-44661
python-utcp: SSRF via attacker-controlled OpenAPI servers[0] - CVE-2026-44589
nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 - CVE-2026-44515
Nextcloud News: Authenticated blind SSRF via feed URL - CVE-2026-42281
MagicMirror²: Unauthenticated SSRF via /cors endpoint
V. Comments for CVE-2026-44430
No comments yet