Description
A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The
Copilot pull request description diff summary endpoint accepted a cross-repository comparison range and rendered the resulting diff without verifying that the requesting user was authorized to view
the target repository. Exploitation required an authenticated account on the instance with read access to at least one repository to use as the comparison base. This vulnerability affected all
versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. This vulnerability was reported via the GitHub Bug Bounty program.
Published: 2026-06-30
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user to read source code from private repositories they were not explicitly granted access to. It is a missing authorization flaw that enables the rendering of a diff summary across repositories without checking permissions on the target repository. The impact is the disclosure of confidential code, potentially compromising intellectual property or proprietary logic.

Affected Systems

GitHub Enterprise Server versions prior to 3.21 are affected. The issue was corrected in 3.17.17, 3.18.11, 3.19.8, and 3.20.4, so any instance running a version before 3.21 is vulnerable if not updated.

Risk and Exploitability

The CVSS score of 6.0 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploit activity yet. An attacker must have an authenticated account with read access to at least one repository to try the exploit, so the attack vector is through legitimate user access rather than unauthenticated external entry. The lack of extensive public exploitation data reduces the current threat level but still warrants remediation.

Generated by OpenCVE AI on June 30, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GitHub Enterprise Server to the latest patched version (3.17.17, 3.18.11, 3.19.8, or 3.20.4 or later).
  • Ensure all internal Enterprise Server instances are updated to the patched releases to close the authorization gap.
  • If an upgrade cannot be performed immediately, restrict or disable the Copilot pull request diff summary endpoint to prevent unauthorized diff rendering.
  • Actively monitor server access logs for anomalous requests to the diff summary endpoint and investigate any suspicious activity.

Generated by OpenCVE AI on June 30, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The Copilot pull request description diff summary endpoint accepted a cross-repository comparison range and rendered the resulting diff without verifying that the requesting user was authorized to view the target repository. Exploitation required an authenticated account on the instance with read access to at least one repository to use as the comparison base. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. This vulnerability was reported via the GitHub Bug Bounty program.
Title Missing authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository contents via the Copilot pull request diff summary endpoint
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2026-06-30T20:23:37.445Z

Reserved: 2026-05-20T18:18:07.930Z

Link: CVE-2026-9132

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T22:30:06Z

Weaknesses