An Incorrect Authorization flaw in GitHub Enterprise Server allows a user authenticated with a classic personal access token that lacks the repo scope to retrieve issues and commits from private and internal repositories through the search REST API endpoints. The weakness, identified as CWE-862, enables the attacker to read repository data that should be restricted, potentially exposing sensitive information, code, and issue histories. The impact is a moderation-level breach of confidentiality but does not provide code execution or persistence capabilities.

GitHub Enterprise Server was affected in all releases prior to 3.20. The vulnerability was fixed in version 3.16.15, 3.17.12, 3.18.6, and 3.19.3, so any installation running an earlier version is at risk and must be updated. The fix eliminates the ability for a non‑repo‑scoped token to return search results from private or internal repositories that the user has access to via organization membership or collaboration.

The CVSS score of 5.3 indicates moderate risk, and the EPSS score of less than 1% suggests low likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, further supporting a low imminent threat profile. However, to exploit the weakness a user must already possess repository access, which can mean a legitimate member or collaborator. Once authenticated, they can query the API and receive data that should require repo privileges, meaning that any compromised or malicious account with broad organization membership could surreptitiously harvest internal code and issue information. The attack vector is authenticated remote API use, inferred from the description; no local privilege escalation or code execution is required.