Skip to main content

GitHub Enterprise Server EUVDEUVD-2026-40407

| CVE-2026-9106 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-06-30 GitHub_P GHSA-gfj9-8v3r-jh2q
4.8
CVSS 4.0 · Vendor: GitHub_P
Share

Severity by source

Vendor (GitHub_P) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

PR:L reflects the need for a GHES account to register an OAuth app; UI:R for mandatory victim authorization; S:C because the token crosses into the victim organization's runner management scope.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_P).

CVSS VectorVendor: GitHub_P

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 21:19 vuln.today

DescriptionCVE.org

A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.

AnalysisAI

OAuth scope concealment in GitHub Enterprise Server allows an attacker to obtain unauthorized control over an organization's GitHub Actions runner management by exploiting a missing scope disclosure on the authorization consent screen. The manage_runners:org OAuth scope, which governs CI/CD runner infrastructure, is never shown to the victim during the standard OAuth authorization flow, enabling a maliciously crafted OAuth application to acquire it without informed user consent. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register malicious OAuth app on GHES
Delivery
Configure app to request manage_runners:org scope
Exploit
Phish organization member to authorization URL
Execution
Victim authorizes without seeing hidden scope
Persist
Attacker receives token with runner management grant
Impact
Manipulate organization's CI/CD runner infrastructure

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the target GitHub Enterprise Server instance must be running any version prior to the patched releases (3.16.20 / 3.17.17 / 3.18.11 / 3.19.8 / 3.20.4 / 3.21.2); (2) the attacker must possess a valid GHES account sufficient to register an OAuth application; and (3) a victim who is a member of the target organization must be socially engineered into visiting the attacker-constructed OAuth authorization URL and actively clicking 'Authorize'. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L) accurately characterizes this as a moderate-risk issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a GitHub Enterprise Server account registers a new OAuth application configured to request the `manage_runners:org` scope. They craft a phishing message directing a target organization member - ideally one with runner management privileges - to a URL that initiates the OAuth authorization flow for this application. …
Remediation Upgrade GitHub Enterprise Server to the earliest patched release available for your current minor version: 3.16.x → 3.16.20, 3.17.x → 3.17.17, 3.18.x → 3.18.11, 3.19.x → 3.19.8, 3.20.x → 3.20.4, or 3.21.x → 3.21.2, with version-specific release notes at the GitHub docs references provided. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9312 CRITICAL
9.2 May 27

Server-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issui

CVE-2026-0573 CRITICAL
9.0 Feb 18

URL redirection vulnerability in GitHub Enterprise Server allows attacker-controlled redirects through crafted URLs, pot

CVE-2026-3854 HIGH POC
8.7 Mar 10

Remote code execution in GitHub Enterprise Server allows authenticated users with repository push access to execute arbi

CVE-2025-3246 HIGH
8.6 Apr 17

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scr

CVE-2026-4821 HIGH
8.1 Apr 21

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an

CVE-2026-8034 HIGH
7.9 May 07

Server-side request forgery in GitHub Enterprise Server's notebook viewer enables remote unauthenticated attackers to ac

CVE-2025-3509 HIGH
7.1 Apr 17

A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute

CVE-2026-4296 HIGH
7.5 Apr 21

An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to byp

CVE-2026-5845 HIGH
7.2 Apr 21

An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server

CVE-2026-1999 HIGH
7.1 Feb 18

GitHub Enterprise Server allows authenticated webhook administrators to bypass network restrictions through Server-Side

CVE-2026-8606 HIGH
7.0 May 26

Here is the multi-source synthesis for CVE-2026-8606: ```json { "product_name": "GitHub Enterprise Server", "summar

CVE-2026-1355 MEDIUM
6.5 Feb 18

GitHub Enterprise Server versions before 3.20 contain an authorization bypass in the repository migration upload endpoin

Share

EUVD-2026-40407 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy