CVE-2026-48529
MediumCVSS 6.0Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
GitHub MCP Server versions 0.22.0 through 1.1.2, when running in HTTP mode with --lockdown-mode enabled, uses a process-global singleton RepoAccessCache initialized with the first authenticated user's GraphQL client. All subsequent requests from different users share this singleton and their lockdown-related GraphQL queries are executed using the first user's credentials.
Risk Assessment
The risk is that users may gain unauthorized access to repositories or bypass lockdown restrictions because their queries are processed using another user's token, potentially leading to data confidentiality and integrity breaches.
Recommendation
Immediately update GitHub MCP Server to version 1.1.2 or later, which fixes this vulnerability by properly managing user sessions.
Original NVD description (English source)
GitHub MCP Server is GitHub's official MCP Server. From 0.22.0 until 1.1.2, when running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from different users share this singleton and their lockdown-related GraphQL queries are executed using the first user's credentials. The singleton is never updated to reflect later users' tokens. This vulnerability is fixed in 1.1.2.

