Skip to content

--read-only flag fails to restrict write tools when using the new http command #2156

New issue
New issue
Open
Open
--read-only flag fails to restrict write tools when using the new http command#2156
Labels
bugSomething isn't workingrequest ai review
@mervesoysal

Description

@mervesoysal
mervesoysal
opened on Mar 6, 2026

Describe the bug

When running the GitHub MCP server (v0.31.0) using the new http command (streamable-http mode), the --read-only flag and the GITHUB_READ_ONLY=1 environment variable fail to restrict the server to read-only operations.

Modifying tools such as create_branch, create_pull_request, and merge_pull_request remain accessible in the tools/list response and are fully functional.
The behavior is identical whether testing locally with direct curl commands or when connecting an LLM client (e.g., LibreChat) to the server. In both scenarios, we successfully executed write actions despite the server being started with read-only enforcement.

Affected version

v0.31.0

Steps to reproduce the behavior

  1. Start the MCP server using Docker with the new http command and the --read-only flag:

    docker run -d --name mcp-github
    --restart unless-stopped
    -p 9002:8082
    -e GITHUB_PERSONAL_ACCESS_TOKEN="<VALID_PAT_WITH_REPO_SCOPE>"
    ghcr.io/github/github-mcp-server:v0.31.0
    http --read-only

  2. Verify the container is running and received the flag: docker inspect mcp-github | grep read-only

  3. Prove write access by directly calling the create_branch tool via curl:

curl -X POST http://localhost:9002/mcp
-H "Content-Type: application/json"
-H "Authorization: Bearer <VALID_PAT_WITH_REPO_SCOPE>"
-d '{
"jsonrpc": "2.0",
"method": "tools/call",
"params": {
"name": "create_branch",
"arguments": {
"owner": "<YOUR_ORG>",
"repo": "<YOUR_REPO>",
"branch": "test-branch-mcp-readonly-bypass"
}
},
"id": 2
}'
Observation: The request succeeds, and the branch test-branch-mcp-readonly-bypass is physically created in the target repository on GitHub.

  1. When connected to an LLM client (like LibreChat) via streamable-http, asking the agent to "Create a branch called 'test-branch'" also succeeds, confirming the LLM has full write access.

Expected vs actual behavior

When the --read-only flag or GITHUB_READ_ONLY=1 environment variable is provided, the server should completely omit write/modifying tools from the tools/list response and block any incoming requests to execute those tools.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingrequest ai review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions