CVE-2026-1355
Received Received - Intake
Missing Authorization in GitHub Enterprise Repository Migration Upload

Publication date: 2026-02-18

Last updated on: 2026-02-19

Assigner: GitHub, Inc. (Products Only)

Description
A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user’s repository migration export due to a missing authorization check in the repository migration upload endpoint. By supplying the migration identifier, an attacker could overwrite or replace a victim’s migration archive, potentially causing victims to download attacker-controlled repository data during migration restores or automated imports. An attacker would require authentication to the victim's GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, 3.14.23. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-19
Generated
2026-05-07
AI Q&A
2026-02-18
EPSS Evaluated
2026-05-05
NVD
CVE-2026-1355
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
github enterprise_server From 3.18.0 (inc) to 3.18.5 (exc)
github enterprise_server From 3.19.0 (inc) to 3.19.2 (exc)
github enterprise_server to 3.14.23 (exc)
github enterprise_server From 3.15.0 (inc) to 3.15.18 (exc)
github enterprise_server From 3.16.0 (inc) to 3.16.14 (exc)
github enterprise_server From 3.17.0 (inc) to 3.17.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Missing Authorization issue in GitHub Enterprise Server. It allows an attacker who is authenticated on the server to upload unauthorized content to another user's repository migration export. By using the migration identifier, the attacker can overwrite or replace the victim's migration archive. This means that when the victim restores or imports their repository migration, they might download data controlled by the attacker.


How can this vulnerability impact me? :

The impact of this vulnerability is that an attacker could replace a victim's repository migration data with malicious or unauthorized content. This could lead to the victim unknowingly importing compromised or attacker-controlled data into their repositories during migration restores or automated imports, potentially causing data integrity issues or security breaches.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade your GitHub Enterprise Server to one of the fixed versions: 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, or 3.14.23.

Since the vulnerability requires authentication, ensure that access to your GitHub Enterprise Server instance is tightly controlled and monitored.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart