Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint requires low-privilege authenticated session (PR:L); no scope change as both vulnerable component and impacted data reside within the same GHES instance; high confidentiality loss, no integrity or availability impact.
Primary rating from Vendor (GitHub_P).
CVSS VectorVendor: GitHub_P
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The Copilot pull request description diff summary endpoint accepted a cross-repository comparison range and rendered the resulting diff without verifying that the requesting user was authorized to view the target repository. Exploitation required an authenticated account on the instance with read access to at least one repository to use as the comparison base. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. This vulnerability was reported via the GitHub Bug Bounty program.
AnalysisAI
Unauthorized source code disclosure in GitHub Enterprise Server exposes private repository contents to any authenticated user on the instance, regardless of their actual repository permissions. The Copilot pull request description diff summary endpoint accepted cross-repository comparison ranges and rendered the resulting diff without verifying the requesting user held read access to the target repository - a missing authorization flaw (CWE-862) allowing lateral access to arbitrary private repositories. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated user account on the specific GitHub Enterprise Server instance - unauthenticated remote attackers cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.0 (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) accurately captures the threat profile: network-reachable, low complexity once the endpoint behavior is known, but gated behind a specific attack requirement (AT:P) - the attacker must already possess an authenticated account with read access to at least one repository on the instance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer contractor on a GitHub Enterprise Server instance holds read access to a single project repository for their engagement. Aware of the Copilot diff summary endpoint behavior, they craft an API request specifying a cross-repository comparison range that targets a sensitive internal repository containing proprietary source code they have no authorized access to. … |
| Remediation | The primary remediation is to upgrade GitHub Enterprise Server to a patched release: 3.17.17, 3.18.11, 3.19.8, or 3.20.4, as documented in GitHub's official release notes linked in the references above. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Enterprise Server
View allServer-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issui
URL redirection vulnerability in GitHub Enterprise Server allows attacker-controlled redirects through crafted URLs, pot
Remote code execution in GitHub Enterprise Server allows authenticated users with repository push access to execute arbi
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scr
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an
Server-side request forgery in GitHub Enterprise Server's notebook viewer enables remote unauthenticated attackers to ac
A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute
An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to byp
An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server
GitHub Enterprise Server allows authenticated webhook administrators to bypass network restrictions through Server-Side
Here is the multi-source synthesis for CVE-2026-8606: ```json { "product_name": "GitHub Enterprise Server", "summar
GitHub Enterprise Server versions before 3.20 contain an authorization bypass in the repository migration upload endpoin
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40408
GHSA-42pg-j2h8-h5fw