What happened
GitHub's official MCP Server versions 0.22.0 through 1.1.1 contain a cross-tenant authorization flaw when running in HTTP mode with --lockdown-mode. The RepoAccessCache is a process-global singleton initialized with the first user's credentials. Subsequent users share the same cache and GraphQL client, bypassing repository access controls and potentially allowing unauthorized access to private repositories.
Why it matters
GitHub's official MCP server is the primary bridge between AI coding agents and GitHub repositories. Cross-tenant access in an MCP server means AI agents operating on behalf of one user can inadvertently or maliciously access private repositories belonging to other users, exposing source code, secrets stored in repos, and proprietary AI training data or model configs.
Attack vector
When running in HTTP mode with --lockdown-mode, the RepoAccessCache is initialized as a process-global singleton using the first authenticated user's GraphQL client. All subsequent requests from different users reuse this same client, meaning any user can access repositories authorized only for the first authenticated user — a cross-tenant authorization bypass.
Affected systems
github-mcp-server 0.22.0 – 1.1.1 (fixed in 1.1.2)
Mitigation
Upgrade to github-mcp-server 1.1.2. Advisory: https://github.com/github/github-mcp-server/security/advisories/GHSA-pjp5-fpmr-3349