GitHub MCP Vulnerability
GitHub MCP gives full access to your GitHub repos (including private repo), ability to read/write issues, PR, etc
TLDR Version
An attacker can places a malicious issue like this and make the AI Agents to leak private information
How does it work?
- An attacker will create a malicious prompt as issue in a public repo
- If the user (who is using GitHub MCP) queries something like “fix the issues in X repo”
- The malicious prompt gets triggered, which in turn executes other actions like reading content from private repo without the user’s knowledge (assumption: “Always Allow” confirmation or similar policy is configured)
- Then the information gets leaked in public repo 🙈
Lesson
When using/building/experimenting with MCP, we need to be mindful of the attack like this and try to reduce the potential vulnerabilities
Credits
- Invariantlabs.ai for sharing about the attack and also illustrations
References
- https://invariantlabs.ai/blog/mcp-github-vulnerability
- https://simonwillison.net/2025/May/26/github-mcp-exploited/
Happy building apps!