CVE-2026-48529
Deferred Deferred - Pending Action

GitHub MCP Server Credential Leakage via RepoAccessCache Singleton

Vulnerability report for CVE-2026-48529, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-27

Assigner: GitHub, Inc.

Description

GitHub MCP Server is GitHub's official MCP Server. From 0.22.0 until 1.1.2, when running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from different users share this singleton and their lockdown-related GraphQL queries are executed using the first user's credentials. The singleton is never updated to reflect later users' tokens. This vulnerability is fixed in 1.1.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-27
Generated
2026-07-17
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
github github_mcp_server From 0.22.0 (inc) to 1.1.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-48529 is a security flaw in the GitHub MCP Server when running in HTTP mode with the --lockdown-mode enabled. The issue arises because a process-global singleton called RepoAccessCache is initialized with the first authenticated user's GraphQL client and is never updated for subsequent users.

As a result, all requests from different users share the same singleton instance, causing lockdown-related GraphQL queries to be executed using the first user's credentials instead of the current user's. This leads to incorrect authorization checks and potential security bypasses.

  • The ViewerLogin field in cache entries always reflects the first user's identity, causing incorrect content safety checks for other users.
  • Repository visibility and collaborator access are evaluated using the first user's token, leading to wrong trust decisions about external contributors' content.
  • If the first user's token is revoked or expires, all lockdown queries fail for all users until the process restarts, breaking protection.
Detection Guidance

Detection of this vulnerability involves identifying if the GitHub MCP Server is running in HTTP mode with the --lockdown-mode flag enabled and if it is a version between 0.22.0 and 1.1.2. Since the vulnerability is related to the RepoAccessCache singleton being initialized with the first authenticated user's GraphQL client and reused for all users, monitoring for incorrect authorization behavior or unexpected access patterns may indicate exploitation.

Specific commands to detect this vulnerability are not provided in the available resources.

Impact Analysis

This vulnerability can impact you by allowing unauthorized data access or modification because authorization checks are performed using the first authenticated user's credentials for all users.

It can cause incorrect decisions about whether to trust or sanitize content from external contributors, potentially exposing sensitive or unsafe data.

Additionally, if the first user's token is revoked or expires, the lockdown protections fail for all users, potentially leading to service disruption or loss of security controls until the server process is restarted.

Compliance Impact

This vulnerability causes incorrect authorization checks by using the first authenticated user's credentials for all subsequent users, potentially allowing unauthorized access to data.

Such unauthorized data access or modification can lead to violations of data protection regulations like GDPR and HIPAA, which require strict access controls and user-specific data handling.

Additionally, the failure of lockdown queries when the first user's token is revoked or expired can disrupt service protections, further risking compliance with security standards.

Mitigation Strategies

The immediate mitigation step is to upgrade the GitHub MCP Server to version 1.1.2 or later, where this vulnerability is fixed.

Additionally, if upgrading is not immediately possible, consider disabling the --lockdown-mode flag when running the HTTP server to avoid triggering the vulnerable code path.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48529. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart