{"id":"GO-2026-5607","summary":"MCP Registry has an unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist in github.com/modelcontextprotocol/registry","details":"MCP Registry has an unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist in github.com/modelcontextprotocol/registry","aliases":["CVE-2026-44430","GHSA-r48c-v28r-pf6v"],"modified":"2026-06-25T23:01:24.328460057Z","published":"2026-06-25T22:34:34Z","database_specific":{"review_status":"UNREVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-5607"},"references":[{"type":"ADVISORY","url":"https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-r48c-v28r-pf6v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44430"},{"type":"FIX","url":"https://github.com/modelcontextprotocol/registry/commit/f5f40bd98084466eaf18fe48ea62a0d534caa774"},{"type":"FIX","url":"https://github.com/modelcontextprotocol/registry/pull/1250"},{"type":"WEB","url":"https://github.com/modelcontextprotocol/registry/releases/tag/v1.7.7"}],"affected":[{"package":{"name":"github.com/modelcontextprotocol/registry","ecosystem":"Go","purl":"pkg:golang/github.com/modelcontextprotocol/registry"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.7.7"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-5607.json"}}],"schema_version":"1.7.5"}