Skip to main content

GitHub Enterprise Server EUVDEUVD-2026-40408

| CVE-2026-9132 MEDIUM
Missing Authorization (CWE-862)
2026-06-30 GitHub_P GHSA-42pg-j2h8-h5fw
6.0
CVSS 4.0 · Vendor: GitHub_P
Share

Severity by source

Vendor (GitHub_P) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable endpoint requires low-privilege authenticated session (PR:L); no scope change as both vulnerable component and impacted data reside within the same GHES instance; high confidentiality loss, no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_P).

CVSS VectorVendor: GitHub_P

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 21:21 vuln.today

DescriptionCVE.org

A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The Copilot pull request description diff summary endpoint accepted a cross-repository comparison range and rendered the resulting diff without verifying that the requesting user was authorized to view the target repository. Exploitation required an authenticated account on the instance with read access to at least one repository to use as the comparison base. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. This vulnerability was reported via the GitHub Bug Bounty program.

AnalysisAI

Unauthorized source code disclosure in GitHub Enterprise Server exposes private repository contents to any authenticated user on the instance, regardless of their actual repository permissions. The Copilot pull request description diff summary endpoint accepted cross-repository comparison ranges and rendered the resulting diff without verifying the requesting user held read access to the target repository - a missing authorization flaw (CWE-862) allowing lateral access to arbitrary private repositories. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain authenticated GHES account with any repo read access
Delivery
Identify target private repository on the same instance
Exploit
Craft cross-repository comparison range request to Copilot diff summary endpoint
Execution
Submit request without possessing target repository permissions
Impact
Receive full unauthorized source code diff of private repository

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated user account on the specific GitHub Enterprise Server instance - unauthenticated remote attackers cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.0 (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) accurately captures the threat profile: network-reachable, low complexity once the endpoint behavior is known, but gated behind a specific attack requirement (AT:P) - the attacker must already possess an authenticated account with read access to at least one repository on the instance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer contractor on a GitHub Enterprise Server instance holds read access to a single project repository for their engagement. Aware of the Copilot diff summary endpoint behavior, they craft an API request specifying a cross-repository comparison range that targets a sensitive internal repository containing proprietary source code they have no authorized access to. …
Remediation The primary remediation is to upgrade GitHub Enterprise Server to a patched release: 3.17.17, 3.18.11, 3.19.8, or 3.20.4, as documented in GitHub's official release notes linked in the references above. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9312 CRITICAL
9.2 May 27

Server-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issui

CVE-2026-0573 CRITICAL
9.0 Feb 18

URL redirection vulnerability in GitHub Enterprise Server allows attacker-controlled redirects through crafted URLs, pot

CVE-2026-3854 HIGH POC
8.7 Mar 10

Remote code execution in GitHub Enterprise Server allows authenticated users with repository push access to execute arbi

CVE-2025-3246 HIGH
8.6 Apr 17

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scr

CVE-2026-4821 HIGH
8.1 Apr 21

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an

CVE-2026-8034 HIGH
7.9 May 07

Server-side request forgery in GitHub Enterprise Server's notebook viewer enables remote unauthenticated attackers to ac

CVE-2025-3509 HIGH
7.1 Apr 17

A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute

CVE-2026-4296 HIGH
7.5 Apr 21

An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to byp

CVE-2026-5845 HIGH
7.2 Apr 21

An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server

CVE-2026-1999 HIGH
7.1 Feb 18

GitHub Enterprise Server allows authenticated webhook administrators to bypass network restrictions through Server-Side

CVE-2026-8606 HIGH
7.0 May 26

Here is the multi-source synthesis for CVE-2026-8606: ```json { "product_name": "GitHub Enterprise Server", "summar

CVE-2026-1355 MEDIUM
6.5 Feb 18

GitHub Enterprise Server versions before 3.20 contain an authorization bypass in the repository migration upload endpoin

Share

EUVD-2026-40408 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy