An improper authorization flaw in GitHub Enterprise Server enables users who have only read access to a repository but write access to a project to alter issue and pull request metadata through the project interface. This weakness, identified as CWE‑639, allows a user to modify metadata such as labels, assignees, or state of issues and pull requests without possessing repository write permissions. The consequence is a privilege escalation that can tamper with the content and workflow of a repository’s issue tracking system.

GitHub Enterprise Server installations running versions prior to 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 or 3.19.3 are affected. The issue originates from the way project item updation is handled: when a project item is added to an existing project, column value changes are applied without verifying that the actor has repository write rights.

The vulnerability carries a CVSS score of 5.3, indicating moderate severity, while the EPSS score is below 1%, suggesting low current exploitation probability. It is not listed in the CISA KEV catalog. The attack requires a user who can add items to a project and read the repository. Once such a user adds an item, the system accepts column value updates without permission checks, enabling tampering with issue and pull request metadata. This permission bypass can be leveraged to manipulate project workflows, potentially compromising confidentiality or integrity of repository data.