โ† Back to Dashboard

CVE-2026-48529

MEDIUM NVD
CVSS Score
6.0
Severity
MEDIUM
Source
NVD
Published
Jun 26, 2026
Description

GitHub MCP Server is GitHub's official MCP Server. From 0.22.0 until 1.1.2, when running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from different users share this singleton and their lockdown-related GraphQL queries are executed using the first user's credentials. The singleton is never updated to reflect later users' tokens. This vulnerability is fixed in 1.1.2.

View Full Details โ† Back