CVE-2026-3307
Received Received - Intake
Authorization Bypass in GitHub Enterprise Server Secret Scanning

Publication date: 2026-04-21

Last updated on: 2026-04-29

Assigner: GitHub, Inc. (Products Only)

Description
An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers; it does not allow adding arbitrary external users. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3307
EUVD
EUVD-2026-24520
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
github enterprise_server to 3.14.26 (exc)
github enterprise_server From 3.15.0 (inc) to 3.15.21 (exc)
github enterprise_server From 3.16.0 (inc) to 3.16.17 (exc)
github enterprise_server From 3.17.0 (inc) to 3.17.14 (exc)
github enterprise_server From 3.18.0 (inc) to 3.18.8 (exc)
github enterprise_server From 3.19.0 (inc) to 3.19.5 (exc)
github enterprise_server 3.20.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authorization bypass in GitHub Enterprise Server. It allows an attacker who already has admin access to one repository to modify the secret scanning push protection delegated bypass reviewer list on a different repository. The attacker does this by manipulating the owner_id parameter in the request body. Although authorization is checked against the repository in the URL, the action is applied to another repository specified in the request body.

The impact is limited because the attacker can only assign existing trusted users as bypass reviewers; they cannot add arbitrary external users.

Impact Analysis

The vulnerability could allow an attacker with admin rights on one repository to alter the secret scanning push protection settings on another repository by assigning trusted users as bypass reviewers. This could potentially weaken the security controls around secret scanning on the affected repository, allowing certain pushes to bypass secret scanning protections.

However, the attacker cannot add arbitrary external users as bypass reviewers, which limits the scope of the impact.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your GitHub Enterprise Server to one of the fixed versions: 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, or 3.20.1.

This will ensure that the authorization bypass vulnerability related to secret scanning push protection delegated bypass reviewer list manipulation is resolved.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3307. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart