CVE Catalog

CVE-2026-48529

MediumCVSS 6.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

GitHub MCP Server versions 0.22.0 through 1.1.2, when running in HTTP mode with --lockdown-mode enabled, uses a process-global singleton RepoAccessCache initialized with the first authenticated user's GraphQL client. All subsequent requests from different users share this singleton and their lockdown-related GraphQL queries are executed using the first user's credentials.

Risk Assessment

The risk is that users may gain unauthorized access to repositories or bypass lockdown restrictions because their queries are processed using another user's token, potentially leading to data confidentiality and integrity breaches.

Recommendation

Immediately update GitHub MCP Server to version 1.1.2 or later, which fixes this vulnerability by properly managing user sessions.

Original NVD description (English source)

GitHub MCP Server is GitHub's official MCP Server. From 0.22.0 until 1.1.2, when running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from different users share this singleton and their lockdown-related GraphQL queries are executed using the first user's credentials. The singleton is never updated to reflect later users' tokens. This vulnerability is fixed in 1.1.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS