Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network endpoint, low complexity; PR:L because write access to any repo is required; only metadata confidentiality impact, no integrity or availability effect.
Primary rating from Vendor (GitHub_P).
CVSS VectorVendor: GitHub_P
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with write access to any repository to read metadata from private repositories they did not have access to, including private repository owners and names, branch names, commit SHAs, commit messages, and the pushing actor. The delegated bypass endpoint resolved a rule suite directly from an attacker-supplied, encoded identifier without verifying that the requesting user could read the rule suite's repository, and because these identifiers are sequential an attacker could enumerate them across the instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. This vulnerability was reported via the GitHub Bug Bounty program.
AnalysisAI
Missing authorization in GitHub Enterprise Server's delegated bypass endpoint exposes private repository metadata to any authenticated user with write access to a single repository on the same instance. The endpoint resolves rule suites from attacker-supplied encoded identifiers without verifying that the caller holds read permission on the target repository; because these identifiers are sequential, an attacker can enumerate them to harvest private repository names, owners, branch names, commit SHAs, commit messages, and pushing actors across the entire GHES instance. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be authenticated to the GitHub Enterprise Server instance and hold write access to at least one repository on that instance - this is the minimum required privilege (consistent with PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) yields a score of 5.3 (Medium), which is appropriately calibrated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated developer at a company with a self-hosted GitHub Enterprise Server instance - possessing only write access to their own team's repository - iterates sequential integer-based rule suite identifiers through the delegated bypass API endpoint. For each valid identifier, the endpoint returns metadata from whichever repository owns that rule suite, regardless of the developer's access rights, allowing them to map out all private repositories on the instance including names, owners, recent commit messages, branch names, and committer identities. … |
| Remediation | Upgrade GitHub Enterprise Server to the appropriate patched release for the deployed support branch: 3.17.18 (release notes: https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.18), 3.18.12 (https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.12), 3.19.9 (https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.9), 3.20.5 (https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.5), or 3.21.3 (https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.3). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Enterprise Server
View allThe RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. R
An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowe
An authentication bypass vulnerability was present in the GitHub Enterprise Server (GHES) when utilizing SAML single sig
An Authentication Bypass (CWE-287) vulnerability in ESMAC (aka Enterprise Server Monitor and Control) in Micro Focus Ent
User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL
An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHub Enterprise Server
An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted
An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SAML authentication wi
Server-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issui
A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor rol
A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor rol
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45191
GHSA-qhvh-xjh2-7c8c