Description
An URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive authorization tokens. The repository_pages API insecurely followed HTTP redirects when fetching artifact URLs, preserving the authorization header containing a privileged JWT. An authenticated user could redirect these requests to an attacker-controlled domain, exfiltrate the Actions.ManageOrgs JWT, and leverage it for potential remote code execution. Attackers would require access to the target GitHub Enterprise Server instance and the ability to exploit a legacy redirect to an attacker-controlled domain. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19 and was fixed in versions 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, and 3.14.22. This vulnerability was reported via the GitHub Bug Bounty program.
Published: 2026-02-18
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via compromised authorization token
Action: Immediate Patch
AI Analysis

Impact

A flaw in the repository_pages API of GitHub Enterprise Server allowed the server to blindly follow HTTP redirects when retrieving artifact URLs, while preserving the Authorization header that contained a privileged JSON Web Token. The exposed token (Actions.ManageOrgs JWT) could be exfiltrated by redirecting the request to an attacker‑controlled domain, giving the attacker the means to execute arbitrary code on the target instance. The underlying weakness is a redirect handling issue (CWE‑601).

Affected Systems

GitHub Enterprise Server for all releases prior to 3.19 is affected. The issue was resolved in releases 3.14.22, 3.15.17, 3.16.13, 3.17.10, 3.18.4, and 3.19.2; any older versions remain vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.6 and an EPSS score of less than 1%, indicating very low current exploitation probability. It is not listed in the CISA KEV catalog. Attackers would need functional access to the target GitHub Enterprise Server instance and the ability to trigger the vulnerable redirect against a user‑authenticating context. The risk is moderate overall, but the potential for remote code execution warrants swift remediation.

Generated by OpenCVE AI on April 17, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GitHub Enterprise Server to the latest release (v3.19.2) or install the version‑specific patches (v3.18.4, v3.17.10, v3.16.13, v3.15.17, v3.14.22) that remove the vulnerable redirect handling.
  • If an update cannot be applied immediately, disable or restrict the use of the repository_pages API and any endpoints that may trigger HTTP redirects until the fixes are applied.
  • Monitor logs for unexpected outbound redirects and unusual token usage to detect possible exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github enterprise Server
Vendors & Products Github
Github enterprise Server

Wed, 18 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description An URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive authorization tokens. The repository_pages API insecurely followed HTTP redirects when fetching artifact URLs, preserving the authorization header containing a privileged JWT. An authenticated user could redirect these requests to an attacker-controlled domain, exfiltrate the Actions.ManageOrgs JWT, and leverage it for potential remote code execution. Attackers would require access to the target GitHub Enterprise Server instance and the ability to exploit a legacy redirect to an attacker-controlled domain. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19 and was fixed in versions 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, and 3.14.22. This vulnerability was reported via the GitHub Bug Bounty program.
Title Improper Handling of HTTP Redirects vulnerability was identified in GitHub Enterprise Server that allowed leaking of authorization token and enabled remote code execution
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Github Enterprise Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2026-02-18T21:20:02.732Z

Reserved: 2026-01-02T16:56:23.289Z

Link: CVE-2026-0573

cve-icon Vulnrichment

Updated: 2026-02-18T21:18:36.138Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T21:16:22.470

Modified: 2026-02-19T22:49:21.843

Link: CVE-2026-0573

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:30:05Z

Weaknesses