Skip to main content

GitHub Enterprise Server EUVDEUVD-2026-41145

| CVE-2026-14340 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-01 GitHub_P GHSA-86rx-87q3-fqhc
5.3
CVSS 4.0 · Vendor: GitHub_P
Share

Severity by source

Vendor (GitHub_P) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Token possession is the access prerequisite (PR:L); once held, exploitation is straightforward (AC:L); scope remains unchanged and impact is limited to low-severity integrity writes with no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_P).

CVSS VectorVendor: GitHub_P

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 21:35 vuln.today

DescriptionCVE.org

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a user-to-server token scoped to a GitHub App installation to perform certain write operations on public repositories outside the token's intended scope. This was possible because the authorization check only verified that the installation had read permissions on the target repository rather than verifying that the token's installation was explicitly granted access to that repository. An attacker who obtained a victim's user-to-server token could create issues, issue comments, commit comments, and private vulnerability reports on any public repository, appearing as the victim user with no indication of the app involvement. This vulnerability was fixed by adding a repository scope check for user-to-server tokens issued by global apps. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.

AnalysisAI

Incorrect authorization in GitHub Enterprise Server allows an attacker who has obtained a victim's user-to-server token - issued by a GitHub App installation - to perform write operations on any public repository, regardless of whether that installation was explicitly granted access to the target repository. Affected installations span all GHES versions prior to 3.22, with fixes backported to six supported release trains. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain victim user-to-server token via separate attack
Delivery
Identify unscoped public repository target on GHES instance
Exploit
Send authenticated API write request using victim token
Execution
GHES authorization checks only installation read access
Persist
Repository-scope binding check bypassed
Impact
Write action (issue, comment, vulnerability report) created as victim user

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess a valid user-to-server token issued by a GitHub App installation on the target GHES instance; this is a hard prerequisite and not trivially obtained. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N) is consistent with the description: exploitation is network-accessible and requires no user interaction, but the attacker must already possess a victim's user-to-server token (PR:L), and the integrity impact is constrained to low-consequence write actions such as issue and comment creation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has separately obtained a victim's user-to-server token - for example through phishing, credential theft, or a compromised OAuth flow - submits API requests to a public repository that the victim's GitHub App installation does not explicitly cover. Because GHES only validates read-access by the installation rather than explicit installation-to-repository binding, the server accepts the request and creates an issue, comment, or private vulnerability report appearing to originate from the victim user. …
Remediation Upgrade GitHub Enterprise Server to the patched release for the installed branch: 3.16.20 (https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.20), 3.17.17 (https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.17), 3.18.11 (https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.11), 3.19.8 (https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.8), 3.20.4 (https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.4), or 3.21.2 (https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.2). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9312 CRITICAL
9.2 May 27

Server-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issui

CVE-2026-0573 CRITICAL
9.0 Feb 18

URL redirection vulnerability in GitHub Enterprise Server allows attacker-controlled redirects through crafted URLs, pot

CVE-2026-3854 HIGH POC
8.7 Mar 10

Remote code execution in GitHub Enterprise Server allows authenticated users with repository push access to execute arbi

CVE-2025-3246 HIGH
8.6 Apr 17

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scr

CVE-2026-4821 HIGH
8.1 Apr 21

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an

CVE-2026-8034 HIGH
7.9 May 07

Server-side request forgery in GitHub Enterprise Server's notebook viewer enables remote unauthenticated attackers to ac

CVE-2025-3509 HIGH
7.1 Apr 17

A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute

CVE-2026-4296 HIGH
7.5 Apr 21

An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to byp

CVE-2026-5845 HIGH
7.2 Apr 21

An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server

CVE-2026-1999 HIGH
7.1 Feb 18

GitHub Enterprise Server allows authenticated webhook administrators to bypass network restrictions through Server-Side

CVE-2026-8606 HIGH
7.0 May 26

Here is the multi-source synthesis for CVE-2026-8606: ```json { "product_name": "GitHub Enterprise Server", "summar

CVE-2026-1355 MEDIUM
6.5 Feb 18

GitHub Enterprise Server versions before 3.20 contain an authorization bypass in the repository migration upload endpoin

Share

EUVD-2026-41145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy