Lucene search
K

9 matches found

Cvelist
Cvelist
added 2026/06/26 4:33 p.m.35 views

CVE-2026-48529 GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion

GitHub MCP Server is GitHub's official MCP Server. From 0.22.0 until 1.1.2, when running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from differe...

6CVSS0.00205EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 4:33 p.m.7 views

CVE-2026-48529

GitHub MCP Server is GitHub's official MCP Server. From 0.22.0 until 1.1.2, when running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from differe...

6CVSS5.8AI score0.00205EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/26 4:33 p.m.22 views

CVE-2026-48529

GitHub MCP Server (versions 0.22.0–1.1.2) in HTTP mode with --lockdown-mode stores RepoAccessCache as a process-global singleton initialized with the first authenticated user’s GraphQL client. All subsequent requests reuse that singleton, causing lockdown queries to run with the first user’s toke...

6CVSS5.8AI score0.00205EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/06/25 9:32 p.m.8 views

GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion

Summary When running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from different users share this singleton and their lockdown-related GraphQL...

6CVSS5.9AI score0.00205EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.10 views

PT-2026-52644

Name of the Vulnerable Software and Affected Versions GitHub MCP Server versions 0.22.0 through 1.1.1 Description When operating in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton. This singleton is initialized using the GraphQL client of t...

6CVSS5.7AI score0.00205EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/05/14 8:21 a.m.13 views

CVE-2026-41050

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo...

9.9CVSS5.9AI score0.00379EPSS
Exploits0References1
NVD
NVD
added 2026/03/10 8:16 p.m.5 views

CVE-2026-3582

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token PAT lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user...

5.3CVSS0.00248EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/03/10 6:56 p.m.3 views

CVE-2026-3582 Incorrect Authorization in GitHub Enterprise Server allows access to issue and commit search results without repo scope

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token PAT lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user...

5.3CVSS5.8AI score0.00248EPSS
Exploits0References4
The Hacker News
The Hacker News
added 2025/09/08 9:20 a.m.4 views

You Didn't Get Phished — You Onboarded the Attacker

When Attackers Get Hired: Today's New Identity Crisis What if the star engineer you just hired isn't actually an employee, but an attacker in disguise? This isn't phishing; it's infiltration by onboarding. Meet "Jordan from Colorado," who has a strong resume, convincing references, a clean...

6.5AI score
Exploits0
Rows per page
Query Builder