—
GO-2026-5273
MCP Registry's GitHub OIDC tokens are replayable across registry deployments due to shared audience in github.com/modelcontextprotocol/registry
Details
MCP Registry's GitHub OIDC tokens are replayable across registry deployments due to shared audience in github.com/modelcontextprotocol/registry
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / github.com/modelcontextprotocol/registry
Introduced in:
0 Fixed in: 1.7.6 Fix
go get github.com/modelcontextprotocol/registry@v1.7.6 References
- https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-95c3-6vvw-4mrq [ADVISORY]
- https://nvd.nist.gov/vuln/detail/CVE-2026-44428 [ADVISORY]
- https://github.com/modelcontextprotocol/registry/commit/3f89fc2b1fb34fd49f3c0e1b39e964a5c67b613f [FIX]
- https://github.com/modelcontextprotocol/registry/pull/1229 [FIX]
- https://github.com/modelcontextprotocol/registry/releases/tag/v1.7.6 [WEB]