GHSA-PJP5-FPMR-3349
Vulnerability from github – Published: 2026-06-25 21:32 – Updated: 2026-06-25 21:32Summary
When running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from different users share this singleton and their lockdown-related GraphQL queries are executed using the first user's credentials. The singleton is never updated to reflect later users' tokens.
Details
The singleton is defined in pkg/lockdown/lockdown.go:
var (
instance *RepoAccessCache
instanceMu sync.Mutex
)
func GetInstance(client *githubv4.Client, opts ...RepoAccessOption) *RepoAccessCache {
instanceMu.Lock()
defer instanceMu.Unlock()
if instance == nil {
instance = &RepoAccessCache{
client: client, // only stored on first call
}
}
return instance // subsequent callers receive the same object regardless of their client
}
In HTTP mode, pkg/github/dependencies.go calls this per request:
func (d *RequestDeps) GetRepoAccessCache(ctx context.Context) (*lockdown.RepoAccessCache, error) {
gqlClient, err := d.GetGQLClient(ctx) // creates client with request's token
...
instance := lockdown.GetInstance(gqlClient, d.RepoAccessOpts...)
// gqlClient is silently dropped if singleton already exists
return instance, nil
}
The singleton's internal client field is never updated after the first initialization. All lockdown GraphQL queries that check repository access and visibility (queryRepoAccessInfo, called by IsSafeContent) run under the first authenticated user's token for the lifetime of the process.
IsSafeContent is called in at least six places across pkg/github/issues.go and pkg/github/pullrequests.go to decide whether to trust or sanitize content from external contributors.
PoC
The following program demonstrates that two distinct GraphQL clients produce the same singleton pointer, confirming that the second client is discarded:
package main
import (
"fmt"
"net/http"
"github.com/github/github-mcp-server/pkg/lockdown"
"github.com/shurcooL/githubv4"
)
func main() {
httpClientA := &http.Client{}
httpClientB := &http.Client{}
gqlClientA := githubv4.NewEnterpriseClient("https://api.github.com/graphql", httpClientA)
gqlClientB := githubv4.NewEnterpriseClient("https://api.github.com/graphql", httpClientB)
fmt.Printf("gqlClientA (user A token): %p\n", gqlClientA)
fmt.Printf("gqlClientB (user B token): %p\n", gqlClientB)
fmt.Printf("clients are different objects: %v\n\n", gqlClientA != gqlClientB)
instanceForA := lockdown.GetInstance(gqlClientA)
instanceForB := lockdown.GetInstance(gqlClientB)
fmt.Printf("lockdown instance returned for user A: %p\n", instanceForA)
fmt.Printf("lockdown instance returned for user B: %p\n", instanceForB)
fmt.Printf("same singleton returned for both users: %v\n", instanceForA == instanceForB)
}
Output:
gqlClientA (user A token): 0x400044070
gqlClientB (user B token): 0x400044078
clients are different objects: true
lockdown instance returned for user A: 0x400002ecc0
lockdown instance returned for user B: 0x400002ecc0
same singleton returned for both users: true
Impact
This affects deployments running the HTTP server with --lockdown-mode, which is the intended configuration for multi-user scenarios such as GitHub Copilot's managed MCP endpoint.
Three concrete consequences:
First, the ViewerLogin field in cache entries always reflects the first authenticated user's identity. The IsSafeContent check repoInfo.ViewerLogin == strings.ToLower(username) compares this stale value against each subsequent user's login, producing incorrect results for all users except the first.
Second, repository visibility and collaborator access data stored in the cache is evaluated through the first user's token. If user A cannot see a private repository but user B can (or vice versa), the cached isPrivate and hasPushAccess values will reflect user A's view of that repository, causing IsSafeContent to return wrong decisions for user B. In lockdown mode, a wrong true result means potentially injected content from untrusted external contributors is passed to the model without sanitization.
Third, if the first user's token is revoked or expires, all subsequent lockdown GraphQL queries fail with authentication errors. Since getRepoAccessInfo propagates these errors, IsSafeContent returns an error for every request, breaking lockdown protection for all users until the process is restarted.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/github/github-mcp-server"
},
"ranges": [
{
"events": [
{
"introduced": "0.22.0"
},
{
"fixed": "1.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48529"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T21:32:09Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nWhen running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user\u0027s GraphQL client. All subsequent requests from different users share this singleton and their lockdown-related GraphQL queries are executed using the first user\u0027s credentials. The singleton is never updated to reflect later users\u0027 tokens.\n\n### Details\n\nThe singleton is defined in pkg/lockdown/lockdown.go:\n\n```go\nvar (\n instance *RepoAccessCache\n instanceMu sync.Mutex\n)\n\nfunc GetInstance(client *githubv4.Client, opts ...RepoAccessOption) *RepoAccessCache {\n instanceMu.Lock()\n defer instanceMu.Unlock()\n if instance == nil {\n instance = \u0026RepoAccessCache{\n client: client, // only stored on first call\n }\n }\n return instance // subsequent callers receive the same object regardless of their client\n}\n```\n\nIn HTTP mode, pkg/github/dependencies.go calls this per request:\n\n```go\nfunc (d *RequestDeps) GetRepoAccessCache(ctx context.Context) (*lockdown.RepoAccessCache, error) {\n gqlClient, err := d.GetGQLClient(ctx) // creates client with request\u0027s token\n ...\n instance := lockdown.GetInstance(gqlClient, d.RepoAccessOpts...)\n // gqlClient is silently dropped if singleton already exists\n return instance, nil\n}\n```\n\nThe singleton\u0027s internal client field is never updated after the first initialization. All lockdown GraphQL queries that check repository access and visibility (queryRepoAccessInfo, called by IsSafeContent) run under the first authenticated user\u0027s token for the lifetime of the process.\n\nIsSafeContent is called in at least six places across pkg/github/issues.go and pkg/github/pullrequests.go to decide whether to trust or sanitize content from external contributors.\n\n### PoC\n\nThe following program demonstrates that two distinct GraphQL clients produce the same singleton pointer, confirming that the second client is discarded:\n\n```go\npackage main\n\nimport (\n \"fmt\"\n \"net/http\"\n \"github.com/github/github-mcp-server/pkg/lockdown\"\n \"github.com/shurcooL/githubv4\"\n)\n\nfunc main() {\n httpClientA := \u0026http.Client{}\n httpClientB := \u0026http.Client{}\n gqlClientA := githubv4.NewEnterpriseClient(\"https://api.github.com/graphql\", httpClientA)\n gqlClientB := githubv4.NewEnterpriseClient(\"https://api.github.com/graphql\", httpClientB)\n\n fmt.Printf(\"gqlClientA (user A token): %p\\n\", gqlClientA)\n fmt.Printf(\"gqlClientB (user B token): %p\\n\", gqlClientB)\n fmt.Printf(\"clients are different objects: %v\\n\\n\", gqlClientA != gqlClientB)\n\n instanceForA := lockdown.GetInstance(gqlClientA)\n instanceForB := lockdown.GetInstance(gqlClientB)\n\n fmt.Printf(\"lockdown instance returned for user A: %p\\n\", instanceForA)\n fmt.Printf(\"lockdown instance returned for user B: %p\\n\", instanceForB)\n fmt.Printf(\"same singleton returned for both users: %v\\n\", instanceForA == instanceForB)\n}\n```\n\nOutput:\n\n```\ngqlClientA (user A token): 0x400044070\ngqlClientB (user B token): 0x400044078\nclients are different objects: true\n\nlockdown instance returned for user A: 0x400002ecc0\nlockdown instance returned for user B: 0x400002ecc0\nsame singleton returned for both users: true\n```\n\n\u003cimg width=\"1642\" height=\"450\" alt=\"image\" src=\"https://github.com/user-attachments/assets/bec46420-9ba7-458e-8710-62f951cb836a\" /\u003e\n\n\n### Impact\n\nThis affects deployments running the HTTP server with --lockdown-mode, which is the intended configuration for multi-user scenarios such as GitHub Copilot\u0027s managed MCP endpoint.\n\nThree concrete consequences:\n\nFirst, the ViewerLogin field in cache entries always reflects the first authenticated user\u0027s identity. The IsSafeContent check `repoInfo.ViewerLogin == strings.ToLower(username)` compares this stale value against each subsequent user\u0027s login, producing incorrect results for all users except the first.\n\nSecond, repository visibility and collaborator access data stored in the cache is evaluated through the first user\u0027s token. If user A cannot see a private repository but user B can (or vice versa), the cached isPrivate and hasPushAccess values will reflect user A\u0027s view of that repository, causing IsSafeContent to return wrong decisions for user B. In lockdown mode, a wrong true result means potentially injected content from untrusted external contributors is passed to the model without sanitization.\n\nThird, if the first user\u0027s token is revoked or expires, all subsequent lockdown GraphQL queries fail with authentication errors. Since getRepoAccessInfo propagates these errors, IsSafeContent returns an error for every request, breaking lockdown protection for all users until the process is restarted.",
"id": "GHSA-pjp5-fpmr-3349",
"modified": "2026-06-25T21:32:09Z",
"published": "2026-06-25T21:32:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/github/github-mcp-server/security/advisories/GHSA-pjp5-fpmr-3349"
},
{
"type": "PACKAGE",
"url": "https://github.com/github/github-mcp-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.