Description
An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorization code to an attacker-controlled domain. This could allow the attacker to gain unauthorized access to the victim's account with the scopes granted to the OAuth application. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized account access
Action: Immediate Patch
AI Analysis

Impact

An incorrect regular expression in GitHub Enterprise Server allowed an attacker to bypass OAuth redirect URI validation, enabling the malicious crafting of an authorization link that redirects the OAuth authorization code to any domain controlled by the attacker. The effect of this flaw is that an attacker can obtain the victim’s OAuth authorization code and, with the scopes granted to the application, gain unauthorized access to the victim’s account. The vulnerability is a type of input validation failure, classified as CWE‑185, and results in a compromise of account integrity and confidentiality.

Affected Systems

All GitHub Enterprise Server versions prior to 3.21 are impacted, except for the patched releases 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26, which contain the fix.

Risk and Exploitability

The CVSS severity is 7.5, indicating a high‑impact vulnerability. EPSS data is not available, but the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploitation to date. An attacker, however, would need to know the registered callback URL of a first‑party OAuth application, and the victim must click the crafted link. Based on the description, the attack vector is likely social engineering via a malicious link, with authentication bypass as the outcome.

Generated by OpenCVE AI on April 22, 2026 at 06:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GitHub Enterprise Server to any of the patched releases: 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, or 3.14.26.
  • Revoke or disable any OAuth applications that may be vulnerable until the upgrade is completed to prevent further exploitation.
  • Review all custom redirect URIs to ensure they match the expected domain exactly, and adjust configuration if necessary to eliminate future validation bypass opportunities.

Generated by OpenCVE AI on April 22, 2026 at 06:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github enterprise Server
Vendors & Products Github
Github enterprise Server

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorization code to an attacker-controlled domain. This could allow the attacker to gain unauthorized access to the victim's account with the scopes granted to the OAuth application. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
Title Incorrect Regular Expression vulnerability in GitHub Enterprise Server allowed unauthorized access to user accounts via OAuth callback URL validation bypass
Weaknesses CWE-185
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Github Enterprise Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2026-04-22T13:16:53.004Z

Reserved: 2026-03-16T17:48:03.040Z

Link: CVE-2026-4296

cve-icon Vulnrichment

Updated: 2026-04-22T13:16:47.875Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T23:16:21.807

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-4296

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:30:10Z

Weaknesses