Description
An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
Published: 2026-04-21
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to private repositories outside the intended installation scope
Action: Immediate Patch
AI Analysis

Impact

An improper authorization fallback in GitHub Enterprise Server’s scoped user‑to‑server (ghu_) tokens allows an authenticated actor to write to or read from private repositories that should be inaccessible, by treating a revoked or deleted installation as a global context. The vulnerability can be chained with token revocation timing and SSH push attribution to obtain and reuse a victim‑scoped token, enabling unauthorized repository modifications. This flaw is an authorization weakness (CWE‑639).

Affected Systems

The flaw affected all GitHub Enterprise Server releases prior to 3.21. The following patch releases addressed the issue: 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. Any installation using older minor versions is vulnerable and must be upgraded or patched.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity vulnerability, though the EPSS score is not available and the flaw is not listed in the CISA KEV catalog. Exploitation requires authentication and knowledge of token revocation timing; however, the ability to perform writes to private repositories makes the impact significant for confidentiality, integrity, and availability of codebases. The attack vector is internal or delegated, inferred from the need for an authenticated user and a crafted token use scenario. Given the lack of external exploitation reports, the likelihood of public exploitation is uncertain, but the potential damage warrants prompt remediation.

Generated by OpenCVE AI on April 22, 2026 at 06:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all GitHub Enterprise Server instances to the latest patch (3.21 or newer) or to the specific fixed releases mentioned above.
  • If an upgrade cannot be performed immediately, disable the use of user‑to‑server (ghu_) tokens or restrict them to the minimal subset of repositories required by users.
  • After remediation, audit existing tokens, revoke those that may have been used in the chain, and enable detailed logging of token authorization attempts to detect any repeat exploitation attempts.

Generated by OpenCVE AI on April 22, 2026 at 06:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github enterprise Server
Vendors & Products Github
Github enterprise Server

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
Title Improper authorization fallback allows scoped user-to-server token installation escape in GitHub Enterprise Server
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Github Enterprise Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2026-04-21T22:42:13.198Z

Reserved: 2026-04-08T18:28:58.486Z

Link: CVE-2026-5845

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T23:16:22.473

Modified: 2026-04-21T23:16:22.473

Link: CVE-2026-5845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses