Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorization code to an attacker-controlled domain. This could allow the attacker to gain unauthorized access to the victim's account with the scopes granted to the OAuth application. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
Analysis
An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorization code to an attacker-controlled domain. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Enterprise Server
View allServer-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issui
URL redirection vulnerability in GitHub Enterprise Server allows attacker-controlled redirects through crafted URLs, pot
Remote code execution in GitHub Enterprise Server allows authenticated users with repository push access to execute arbi
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scr
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an
Server-side request forgery in GitHub Enterprise Server's notebook viewer enables remote unauthenticated attackers to ac
A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute
An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server
GitHub Enterprise Server allows authenticated webhook administrators to bypass network restrictions through Server-Side
Here is the multi-source synthesis for CVE-2026-8606: ```json { "product_name": "GitHub Enterprise Server", "summar
GitHub Enterprise Server versions before 3.20 contain an authorization bypass in the repository migration upload endpoin
Stored cross-site scripting in GitHub Enterprise Server's Q&A Discussion feature allows an authenticated attacker to exe
Same weakness CWE-185 – Incorrect Regular Expression
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24545
GHSA-mcp7-23p7-2v34