Skip to main content

GitHub Enterprise Server CVE-2026-15783

| EUVDEUVD-2026-45191 MEDIUM
Missing Authorization (CWE-862)
2026-07-17 GitHub_P GHSA-qhvh-xjh2-7c8c
5.3
CVSS 4.0 · Vendor: GitHub_P
Share

Severity by source

Vendor (GitHub_P) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network endpoint, low complexity; PR:L because write access to any repo is required; only metadata confidentiality impact, no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_P).

CVSS VectorVendor: GitHub_P

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 17, 2026 - 16:16 vuln.today

DescriptionCVE.org

A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with write access to any repository to read metadata from private repositories they did not have access to, including private repository owners and names, branch names, commit SHAs, commit messages, and the pushing actor. The delegated bypass endpoint resolved a rule suite directly from an attacker-supplied, encoded identifier without verifying that the requesting user could read the rule suite's repository, and because these identifiers are sequential an attacker could enumerate them across the instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. This vulnerability was reported via the GitHub Bug Bounty program.

AnalysisAI

Missing authorization in GitHub Enterprise Server's delegated bypass endpoint exposes private repository metadata to any authenticated user with write access to a single repository on the same instance. The endpoint resolves rule suites from attacker-supplied encoded identifiers without verifying that the caller holds read permission on the target repository; because these identifiers are sequential, an attacker can enumerate them to harvest private repository names, owners, branch names, commit SHAs, commit messages, and pushing actors across the entire GHES instance. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as any user with repository write access
Exploit
Enumerate sequential rule suite identifiers via delegated bypass endpoint
Execution
Receive private repository metadata without access check
Impact
Map private repositories, owners, branches, and commit history across the instance

Vulnerability AssessmentAI

Exploitation The attacker must be authenticated to the GitHub Enterprise Server instance and hold write access to at least one repository on that instance - this is the minimum required privilege (consistent with PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) yields a score of 5.3 (Medium), which is appropriately calibrated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated developer at a company with a self-hosted GitHub Enterprise Server instance - possessing only write access to their own team's repository - iterates sequential integer-based rule suite identifiers through the delegated bypass API endpoint. For each valid identifier, the endpoint returns metadata from whichever repository owns that rule suite, regardless of the developer's access rights, allowing them to map out all private repositories on the instance including names, owners, recent commit messages, branch names, and committer identities. …
Remediation Upgrade GitHub Enterprise Server to the appropriate patched release for the deployed support branch: 3.17.18 (release notes: https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.18), 3.18.12 (https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.12), 3.19.9 (https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.9), 3.20.5 (https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.5), or 3.21.3 (https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.3). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-0200 CRITICAL POC
9.8 Jan 16

An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. R

CVE-2024-9487 CRITICAL POC
9.5 Oct 10

An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowe

CVE-2024-4985 CRITICAL
10.0 May 20

An authentication bypass vulnerability was present in the GitHub Enterprise Server (GHES) when utilizing SAML single sig

CVE-2017-7420 CRITICAL
9.8 Aug 21

An Authentication Bypass (CWE-287) vulnerability in ESMAC (aka Enterprise Server Monitor and Control) in Micro Focus Ent

CVE-2023-4501 CRITICAL
9.8 Sep 12

User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL

CVE-2022-46255 CRITICAL
9.8 Dec 14

An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHub Enterprise Server

CVE-2021-22869 CRITICAL
9.8 Sep 24

An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted

CVE-2024-6800 CRITICAL
9.5 Aug 20

An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SAML authentication wi

CVE-2026-9312 CRITICAL
9.2 May 27

Server-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issui

CVE-2024-1378 CRITICAL
9.1 Feb 13

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor rol

CVE-2024-1374 CRITICAL
9.1 Feb 13

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor rol

Share

CVE-2026-15783 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy