An improper authorization flaw in the mobile upload policy API of GitHub Enterprise Server allowed an authenticated attacker to learn the names of private repositories by their numeric IDs. When the API produced a validation error, the response contained the full repository name even for repositories the caller could not access. The weakness is a classic CWE‑201 situation where authorization is omitted, enabling confidential information to be exposed to users who do not have permission to view it. The CVSS score of 5.3 indicates a moderate risk to confidentiality.

The vulnerability affects all GitHub Enterprise Server releases prior to 3.21. Fixes have been applied in 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. Ops teams should verify which exact minor release they are running and plan to upgrade to a patched version.

The likely attack vector is an authenticated request to the mobile upload policy endpoint, as the vulnerability is triggered by a validation error from this API. Because the attacker needs any authenticated session with the server, the exploit is feasible for users with compromised or reused credentials. The EPSS score is not available, and the vulnerability is not in the CISA KEV, but the CVSS of 5.3 and the fact that the flaw is purely informational still present a meaningful threat to confidentiality. Organizations should treat this as an elevated risk until the server is updated.