CVE-2026-48529

Name of the Vulnerable Software and Affected Versions GitHub MCP Server versions 0.22.0 through 1.1.1

Description When operating in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton. This singleton is initialized using the GraphQL client of the first authenticated user, and subsequent requests from different users continue to use this same instance. Consequently, lockdown-related GraphQL queries are executed using the credentials of the first user rather than the current requester's token.

This issue affects the GetInstance() function in pkg/lockdown/lockdown.go, which fails to update the internal client when called by different users. This leads to incorrect results in the IsSafeContent() function, which relies on queryRepoAccessInfo to determine if content from external contributors should be trusted or sanitized. Potential impacts include incorrect repository visibility checks, unauthorized access to cached data based on the first user's permissions, and a total failure of lockdown protection if the first user's token expires.

Recommendations Update GitHub MCP Server to version 1.1.2.