Skip to main content

Github CVE-2026-0573

CRITICAL
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-02-18 product-cna@github.com
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 18, 2026 - 21:16 nvd
CRITICAL 9.0

DescriptionGitHub Advisory

An URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive authorization tokens. The repository_pages API insecurely followed HTTP redirects when fetching artifact URLs, preserving the authorization header containing a privileged JWT. An authenticated user could redirect these requests to an attacker-controlled domain, exfiltrate the Actions.ManageOrgs JWT, and leverage it for potential remote code execution. Attackers would require access to the target GitHub Enterprise Server instance and the ability to exploit a legacy redirect to an attacker-controlled domain. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19 and was fixed in versions 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, and 3.14.22. This vulnerability was reported via the GitHub Bug Bounty program.

AnalysisAI

URL redirection vulnerability in GitHub Enterprise Server allows attacker-controlled redirects through crafted URLs, potentially enabling credential theft via phishing.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to GitHub Enterprise Server
Delivery
Craft malicious repository_pages API request with attacker-controlled redirect URL
Exploit
Server follows redirect while preserving JWT authorization header
Execution
Exfiltrate Actions.ManageOrgs JWT token
Impact
Use stolen JWT for remote code execution

Vulnerability AssessmentAI

Exploitation Authenticated user access to GitHub Enterprise Server instance with repository_pages API enabled; ability to control artifact URLs or inject redirect targets in API responses; victim must click or trigger the crafted request via UI interaction Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.0. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Attacker crafts URL on the company's GitHub Enterprise domain that redirects to a phishing page mimicking the login, steals developer credentials or SSO tokens.
Remediation Apply GitHub Enterprise Server update. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable the repository_pages API if not actively required, audit recent API access logs for suspicious redirect patterns, and notify all GitHub Enterprise administrators. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Github

View all
CVE-2026-1699 CRITICAL POC
10.0 Jan 30

Supply chain vulnerability in Eclipse Theia GitHub Actions workflow. The preview.yml workflow uses pull_request_target w

CVE-2026-27941 CRITICAL POC
9.9 Feb 26

Supply chain attack vector in OpenLIT GitHub Actions workflows. The pull_request_target trigger with checkout enables ma

CVE-2026-22869 CRITICAL POC
9.8 Jan 13

Eigent multi-agent workflow CI pipeline (ci.yml) uses pull_request_target with checkout of untrusted PR code, enabling a

CVE-2026-28215 CRITICAL POC
9.1 Feb 26

Unauthenticated infrastructure overwrite in Hoppscotch API development ecosystem before 2026.2.0. Attackers can overwrit

CVE-2026-30920 HIGH POC
8.6 Mar 10

OneUptime versions prior to 10.0.19 allow unauthenticated attackers to hijack GitHub App integrations across projects by

CVE-2026-25221 HIGH POC
8.1 Feb 02

PolarLearn versions 0-PRERELEASE-15 and earlier lack proper state parameter validation in OAuth 2.0 authentication, enab

CVE-2026-23644 HIGH POC
7.5 Jan 18

Path traversal in esm.sh CDN prior to version 0.0.0-20260116051925-c62ab83c589e allows unauthenticated remote attackers

CVE-2025-68619 HIGH POC
7.2 Jan 01

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore i

CVE-2026-27943 MEDIUM POC
6.5 Feb 26

Authenticated users in OpenEMR through version 8.0.0 can access and modify eye exam records belonging to other patients

CVE-2026-23889 MEDIUM POC
6.5 Jan 26

Path traversal in pnpm's tarball extraction on Windows allows attackers to write files outside the intended package dire

CVE-2026-27612 MEDIUM POC
6.1 Feb 25

Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaSc

CVE-2025-49013 CRITICAL
9.9 Jun 09

A security vulnerability in WilderForge (CVSS 9.9). Critical severity with potential for significant impact on affected

Share

CVE-2026-0573 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy