Skip to content

Extensions can install MCP servers that bypass private registry restrictions #1834

Description

@rpete3

Type: Bug

VS Code extensions are currently able to install and register Model Context Protocol (MCP) servers that are not defined in an organization’s private MCP registry.
From an enterprise governance and security perspective, this behavior is problematic. When a private MCP registry is configured, VS Code should enforce it as an allowlist, preventing extensions from installing, registering, or invoking any MCP servers that are not explicitly declared in that registry.
As it stands:

Extensions can introduce MCP servers outside of the approved registry.
Administrators have no reliable way to prevent or audit this behavior using existing controls.
This undermines efforts by organizations to strictly control which MCP servers are permitted in regulated or locked-down environments.

Impact
This affects any organization attempting to:

Enforce supply chain and AI tool governance
Meet regulatory or compliance requirements
Maintain a strict allowlist of sanctioned MCP servers

Without stronger enforcement, extensions can unintentionally or intentionally bypass organizational policy, creating both security and compliance gaps.

VS Code version: Code 1.119.0 (Universal) (8b640eef5a6c6089c029249d48efa5c99adf7d51, 2026-05-05T11:23:50-07:00)
OS version: Darwin arm64 25.4.0
Modes:

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type:CustomerSupportProblem recognized as a customer support case

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions