MCP Registry GitHub OIDC Token Replay Vulnerability Across Registry Deployments

A vulnerability exists in the MCP Registry's GitHub OpenID Connect (OIDC) authentication flow, allowing tokens to be replayed across different registry deployments. This issue arises because the OIDC flow is tied to a global audience string, rather than to individual registry instances. As a result, a token obtained from one registry can be used to authenticate with another registry that shares the same audience, bypassing intended access controls. This vulnerability affects MCP Registry versions prior to 1.7.6.

Impact

Exploitation of this vulnerability allows an attacker to impersonate a GitHub owner identity on a different registry deployment, inheriting publish permissions for that owner. This could lead to unauthorized publication or update actions on the victim registry instance.

Reproduction

To reproduce this vulnerability, log in to a GitHub OIDC publishing workflow targeting a registry deployment that is not the intended one, such as a staging or self-hosted registry. During this process, the publisher will request a GitHub Actions ID token with the shared audience 'mcp-registry'. Once the token is obtained, it can be replayed to another registry deployment running the same code and audience configuration, effectively minting a publish-capable registry JWT for the same GitHub owner namespace.

Remediation

Users are advised to update to MCP Registry version 1.7.6 or later. Additionally, the audience string should be replaced with a registry-specific identifier, and the publisher should request an audience that matches the exact registry instance being targeted. It is also recommended to bind the token exchange to deployment-specific claims to prevent cross-registry token replay.