GitHub Security Vulnerability via MCP
GitHub may or does have a problem via MCP
We showcase a critical vulnerability with the official GitHub MCP server, allowing attackers to access private repository data. The vulnerability is among the first discovered by Invariant's security analyzer for detecting toxic agent flows
While our experiments focused on Claude Desktop, the vulnerability is not specific to any particular agent or MCP client. It affects any agent that uses the GitHub MCP server, regardless of the underlying model or implementation.
Importantly, this is not a flaw in the GitHub MCP server code itself, but rather a fundamental architectural issue that must be addressed at the agent system level. This means that GitHub alone cannot resolve this vulnerability through server-side patches.
GitHub MCP Exploited: Accessing private repositories via MCP
We showcase a critical vulnerability with the official GitHub MCP server, allowing attackers to access private repository data. The vulnerability is among the first discovered by Invariant’s security analyzer for detecting toxic agent flows.
<br/><br/>Marco Milanta<br/>Luca Beurer-Kellner
GitHub - github/github-mcp-server: GitHub’s official MCP Server
GitHub’s official MCP Server. Contribute to github/github-mcp-server development by creating an account on GitHub.
github
The mitigations are listed in the first link, or you could just remove the integration in the second.
#enoughsaid