Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Token possession is the access prerequisite (PR:L); once held, exploitation is straightforward (AC:L); scope remains unchanged and impact is limited to low-severity integrity writes with no confidentiality or availability effect.
Primary rating from Vendor (GitHub_P).
CVSS VectorVendor: GitHub_P
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a user-to-server token scoped to a GitHub App installation to perform certain write operations on public repositories outside the token's intended scope. This was possible because the authorization check only verified that the installation had read permissions on the target repository rather than verifying that the token's installation was explicitly granted access to that repository. An attacker who obtained a victim's user-to-server token could create issues, issue comments, commit comments, and private vulnerability reports on any public repository, appearing as the victim user with no indication of the app involvement. This vulnerability was fixed by adding a repository scope check for user-to-server tokens issued by global apps. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.
AnalysisAI
Incorrect authorization in GitHub Enterprise Server allows an attacker who has obtained a victim's user-to-server token - issued by a GitHub App installation - to perform write operations on any public repository, regardless of whether that installation was explicitly granted access to the target repository. Affected installations span all GHES versions prior to 3.22, with fixes backported to six supported release trains. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to possess a valid user-to-server token issued by a GitHub App installation on the target GHES instance; this is a hard prerequisite and not trivially obtained. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N) is consistent with the description: exploitation is network-accessible and requires no user interaction, but the attacker must already possess a victim's user-to-server token (PR:L), and the integrity impact is constrained to low-consequence write actions such as issue and comment creation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has separately obtained a victim's user-to-server token - for example through phishing, credential theft, or a compromised OAuth flow - submits API requests to a public repository that the victim's GitHub App installation does not explicitly cover. Because GHES only validates read-access by the installation rather than explicit installation-to-repository binding, the server accepts the request and creates an issue, comment, or private vulnerability report appearing to originate from the victim user. … |
| Remediation | Upgrade GitHub Enterprise Server to the patched release for the installed branch: 3.16.20 (https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.20), 3.17.17 (https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.17), 3.18.11 (https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.11), 3.19.8 (https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.8), 3.20.4 (https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.4), or 3.21.2 (https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.2). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Enterprise Server
View allServer-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issui
URL redirection vulnerability in GitHub Enterprise Server allows attacker-controlled redirects through crafted URLs, pot
Remote code execution in GitHub Enterprise Server allows authenticated users with repository push access to execute arbi
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scr
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an
Server-side request forgery in GitHub Enterprise Server's notebook viewer enables remote unauthenticated attackers to ac
A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute
An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to byp
An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server
GitHub Enterprise Server allows authenticated webhook administrators to bypass network restrictions through Server-Side
Here is the multi-source synthesis for CVE-2026-8606: ```json { "product_name": "GitHub Enterprise Server", "summar
GitHub Enterprise Server versions before 3.20 contain an authorization bypass in the repository migration upload endpoin
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41145
GHSA-86rx-87q3-fqhc