Vulnerability Description
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. From 1.1.0 to 1.7.4, the TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path (e.g., //evil.com/) that, after trailing slash removal, results in a Location header of //evil.com — which browsers interpret as an absolute URL to an external domain. This vulnerability is fixed in 1.7.5.
Related Weaknesses (CWE)
References
- https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-v8vw-g
- https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-v8vw-g
FAQ
What is CVE-2026-44427?
CVE-2026-44427 is a documented vulnerability. The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. From 1.1.0 to 1.7.4, the TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open...
How severe is CVE-2026-44427?
CVSS scoring is not yet available for CVE-2026-44427. Check NVD for updates.
Is there a patch for CVE-2026-44427?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.