CVE-2026-1999
Received Received - Intake
Authorization Bypass in GitHub Enterprise Server Enables Unauthorized PR Merge

Publication date: 2026-02-18

Last updated on: 2026-04-08

Assigner: GitHub, Inc. (Products Only)

Description
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests. This issue only affected repositories that allow forking as the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible in specific scenarios. It required a clean pull request status and only applied to branches without branch protection rules enabled. This vulnerability affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in versions 3.19.2, 3.18.5, and 3.17.11. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1999
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
github enterprise_server to 3.17.11 (exc)
github enterprise_server From 3.18.0 (inc) to 3.18.5 (exc)
github enterprise_server From 3.19.0 (inc) to 3.19.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an incorrect authorization issue in GitHub Enterprise Server. It allowed an attacker to merge their own pull request into a repository without having push access. The attacker exploited an authorization bypass in the enable_auto_merge mutation for pull requests.

The vulnerability only affected repositories that allow forking because the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible under specific conditions: the pull request had to have a clean status, and the target branch could not have branch protection rules enabled.

This issue affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in those versions.

Impact Analysis

This vulnerability can impact you by allowing an attacker to merge unauthorized code changes into your repository without having the necessary push permissions. This could lead to the introduction of malicious code, unauthorized modifications, or other security risks within your codebase.

Because the attacker can bypass normal authorization controls, it undermines the integrity of your repository and could potentially compromise your software development lifecycle.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your GitHub Enterprise Server to version 3.19.2, 3.18.5, or 3.17.11 or later, as these versions contain the fix for the authorization bypass issue.

Additionally, consider enabling branch protection rules on your repositories to prevent unauthorized merges via pull requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1999. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart