What is the CVSS score of CVE-2026-3306?

CVE-2026-3306 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Github are affected by CVE-2026-3306?

Organizations using An improper authorization vulnerability should be aware of moderate risk from CVE-2026-3306, a IDOR vulnerability rated CVSS 4.3.

Github CVE-2026-3306

MEDIUM

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-03-10 product-cna@github.com

Github Enterprise Server

4.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Mar 10, 2026 - 18:19 nvd

MEDIUM 4.3

DescriptionNVD

An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value updates were applied without verifying the actor's repository write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3.

AnalysisAI

GitHub Enterprise Server allows users with read-only repository access and project write permissions to modify issue and pull request metadata by exploiting insufficient authorization checks when updating project items. An attacker with these limited permissions can alter sensitive metadata without the required repository write access, potentially disrupting workflow management and data integrity. …

RemediationAI

Within 30 days: Identify affected systems running GitHub Enterprise Server that allowed a user with read acces and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-3306 vulnerability details – vuln.today

Back

Github CVE-2026-3306

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code