Description
GitHub MCP Server is GitHub's official MCP Server. From 0.22.0 until 1.1.2, when running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from different users share this singleton and their lockdown-related GraphQL queries are executed using the first user's credentials. The singleton is never updated to reflect later users' tokens. This vulnerability is fixed in 1.1.2.
Published: 2026-06-26
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A process-global singleton is used to cache a GitHub MCP Server GraphQL client when the server runs in HTTP mode with lockdown mode enabled. The singleton is initialized with the GraphQL client of the first user that authenticates. All later requests from other users share this same instance, meaning that the initial user’s credentials are re‑used for subsequent queries, and the client never updates to reflect new tokens. Consequently, users whose requests are executed under the first user’s credentials can read or act on data they should not be able to access, potentially exposing repository contents or mutating data in ways that violate authorization boundaries.

Affected Systems

GitHub MCP Server (versions 0.22.0 through 1.1.1) are affected; the vulnerability was addressed in version 1.1.2. The issue manifests when the server is run in HTTP mode with the --lockdown-mode option enabled.

Risk and Exploitability

The CVSS score of 6 indicates a moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV, suggesting no known widespread exploitation at the time. An attacker can trigger the flaw by authenticating as the first user in a multi‑user HTTP session and then having other users invoke GraphQL queries, which will run under the first user’s token. The attack vector is remote, exploiting the web interface of the MCP Server when lockdown mode is enabled.

Generated by OpenCVE AI on June 26, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch by upgrading to GitHub MCP Server version 1.1.2 or later.
  • If upgrading is not immediately possible, disable the --lockdown-mode flag or configure the server to avoid using a process‑global GraphQL client cache.
  • Restrict HTTP access so that only trusted administrators or automated processes can authenticate against the MCP Server, preventing unintended delegation of credentials.

Generated by OpenCVE AI on June 26, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pjp5-fpmr-3349 GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion
History

Sat, 27 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description GitHub MCP Server is GitHub's official MCP Server. From 0.22.0 until 1.1.2, when running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from different users share this singleton and their lockdown-related GraphQL queries are executed using the first user's credentials. The singleton is never updated to reflect later users' tokens. This vulnerability is fixed in 1.1.2.
Title GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-27T02:43:34.588Z

Reserved: 2026-05-21T16:18:10.619Z

Link: CVE-2026-48529

cve-icon Vulnrichment

Updated: 2026-06-27T02:43:21.930Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:30:05Z

Weaknesses