Executive Summary

CVE-2026-48529 is a security flaw in the GitHub MCP Server when running in HTTP mode with the --lockdown-mode enabled. The issue arises because a process-global singleton called RepoAccessCache is initialized with the first authenticated user's GraphQL client and is never updated for subsequent users.

As a result, all requests from different users share the same singleton instance, causing lockdown-related GraphQL queries to be executed using the first user's credentials instead of the current user's. This leads to incorrect authorization checks and potential security bypasses.

• The ViewerLogin field in cache entries always reflects the first user's identity, causing incorrect content safety checks for other users.
• Repository visibility and collaborator access are evaluated using the first user's token, leading to wrong trust decisions about external contributors' content.
• If the first user's token is revoked or expires, all lockdown queries fail for all users until the process restarts, breaking protection.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthorized data access or modification because authorization checks are performed using the first authenticated user's credentials for all users.

It can cause incorrect decisions about whether to trust or sanitize content from external contributors, potentially exposing sensitive or unsafe data.

Additionally, if the first user's token is revoked or expires, the lockdown protections fail for all users, potentially leading to service disruption or loss of security controls until the server process is restarted.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if the GitHub MCP Server is running in HTTP mode with the --lockdown-mode flag enabled and if it is a version between 0.22.0 and 1.1.2. Since the vulnerability is related to the RepoAccessCache singleton being initialized with the first authenticated user's GraphQL client and reused for all users, monitoring for incorrect authorization behavior or unexpected access patterns may indicate exploitation.

Specific commands to detect this vulnerability are not provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the GitHub MCP Server to version 1.1.2 or later, where this vulnerability is fixed.

Additionally, if upgrading is not immediately possible, consider disabling the --lockdown-mode flag when running the HTTP server to avoid triggering the vulnerable code path.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes incorrect authorization checks by using the first authenticated user's credentials for all subsequent users, potentially allowing unauthorized access to data.

Such unauthorized data access or modification can lead to violations of data protection regulations like GDPR and HIPAA, which require strict access controls and user-specific data handling.

Additionally, the failure of lockdown queries when the first user's token is revoked or expired can disrupt service protections, further risking compliance with security standards.

Useful 0 Not Useful 0