CVE-2026-44427 NONE

CVE-2026-44427: MCP Registry: Open Redirect

Vendor Modelcontextprotocol
Product registry
Weakness CWE-601 · Open redirect
Published May 14, 2026
Last update May 15, 2026

CVSS base score

0.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. From 1.1.0 to 1.7.4, the TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path (e.g., //evil.com/) that, after trailing slash removal, results in a Location header of //evil.com — which browsers interpret as an absolute URL to an external domain. This vulnerability is fixed in 1.7.5.

Key dates

02Disclosure timeline

May 14, 2026 CVE published
May 15, 2026 Record updated