Description
An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the authentication restriction, allowing account creation and session establishment without identity provider validation. The created account was limited to the default base permissions configured on the instance. Exploitation required network access to a GHES instance configured with an external authentication provider. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18.
Published: 2026-05-07
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in GitHub Enterprise Server lets an attacker who has no credentials create a local user account by using the signup endpoint. The user is granted only the default base permissions that are configured on the instance, allowing account creation without any verification from the external identity provider that is normally required. This missing authentication check is identified as CWE-306.

Affected Systems

GitHub Enterprise Server installations running any version prior to 3.21 are affected. The issue was resolved in the 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18 releases, so any instance using those earlier builds, especially with external authentication enabled, remains at risk.

Risk and Exploitability

The CVSS score of 6.3 places the vulnerability at medium‑to‑high severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. Exploitation requires network access to a GitHub Enterprise Server instance that uses an external authentication provider, and the signup endpoint must be reachable. Inferred attack vector is a web‑based signup form that bypasses the external identity provider checks.

Generated by OpenCVE AI on May 7, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GitHub Enterprise Server to a patched release (3.20.2 or newer) to close the vulnerability
  • Restrict network access to the signup endpoint so that only trusted internal hosts can reach it when external authentication is active
  • Monitor instance logs for unexpected local account creation events and investigate any unauthorized accounts

Generated by OpenCVE AI on May 7, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github enterprise Server
Vendors & Products Github
Github enterprise Server

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Missing Authentication for Critical Function vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account bypassing the external identity provider Authentication bypass vulnerability in GitHub Enterprise Server allowed creation of local user accounts bypassing the configured external identity provider

Thu, 07 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the authentication restriction, allowing account creation and session establishment without identity provider validation. The created account was limited to the default base permissions configured on the instance. Exploitation required network access to a GHES instance configured with an external authentication provider. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18.
Title Missing Authentication for Critical Function vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account bypassing the external identity provider
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Github Enterprise Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2026-05-07T21:27:45.553Z

Reserved: 2026-04-21T02:53:28.704Z

Link: CVE-2026-6736

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T22:16:36.753

Modified: 2026-05-07T22:16:36.753

Link: CVE-2026-6736

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T23:30:40Z

Weaknesses