CVE-2026-1355
Received Received - Intake
Missing Authorization in GitHub Enterprise Repository Migration Upload

Publication date: 2026-02-18

Last updated on: 2026-02-19

Assigner: GitHub, Inc. (Products Only)

Description
A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user’s repository migration export due to a missing authorization check in the repository migration upload endpoint. By supplying the migration identifier, an attacker could overwrite or replace a victim’s migration archive, potentially causing victims to download attacker-controlled repository data during migration restores or automated imports. An attacker would require authentication to the victim's GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, 3.14.23. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1355
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
github enterprise_server From 3.18.0 (inc) to 3.18.5 (exc)
github enterprise_server From 3.19.0 (inc) to 3.19.2 (exc)
github enterprise_server to 3.14.23 (exc)
github enterprise_server From 3.15.0 (inc) to 3.15.18 (exc)
github enterprise_server From 3.16.0 (inc) to 3.16.14 (exc)
github enterprise_server From 3.17.0 (inc) to 3.17.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Missing Authorization issue in GitHub Enterprise Server. It allows an attacker who is authenticated on the server to upload unauthorized content to another user's repository migration export. By using the migration identifier, the attacker can overwrite or replace the victim's migration archive. This means that when the victim restores or imports their repository migration, they might download data controlled by the attacker.

Impact Analysis

The impact of this vulnerability is that an attacker could replace a victim's repository migration data with malicious or unauthorized content. This could lead to the victim unknowingly importing compromised or attacker-controlled data into their repositories during migration restores or automated imports, potentially causing data integrity issues or security breaches.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your GitHub Enterprise Server to one of the fixed versions: 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, or 3.14.23.

Since the vulnerability requires authentication, ensure that access to your GitHub Enterprise Server instance is tightly controlled and monitored.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1355. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart