CVE-2026-4296
Received Received - Intake
OAuth Redirect URI Bypass in GitHub Enterprise Server Enables Account Takeover

Publication date: 2026-04-21

Last updated on: 2026-04-29

Assigner: GitHub, Inc. (Products Only)

Description
An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorization code to an attacker-controlled domain. This could allow the attacker to gain unauthorized access to the victim's account with the scopes granted to the OAuth application. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4296
EUVD
EUVD-2026-24545
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
github enterprise_server to 3.14.26 (exc)
github enterprise_server From 3.15.0 (inc) to 3.15.21 (exc)
github enterprise_server From 3.16.0 (inc) to 3.16.17 (exc)
github enterprise_server From 3.17.0 (inc) to 3.17.14 (exc)
github enterprise_server From 3.18.0 (inc) to 3.18.8 (exc)
github enterprise_server From 3.19.0 (inc) to 3.19.5 (exc)
github enterprise_server 3.20.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-185 The product specifies a regular expression in a way that causes data to be improperly matched or compared.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an incorrect regular expression issue in GitHub Enterprise Server that allows an attacker to bypass OAuth redirect URI validation.

An attacker who knows the registered callback URL of a first-party OAuth application can create a malicious authorization link.

When a victim clicks this link, the OAuth authorization code is redirected to a domain controlled by the attacker.

This enables the attacker to gain unauthorized access to the victim's account with the permissions granted to the OAuth application.

Impact Analysis

The vulnerability can lead to unauthorized access to user accounts on GitHub Enterprise Server.

An attacker can exploit this flaw to obtain OAuth authorization codes and use them to access victim accounts with the same scopes as the OAuth application.

This could result in data exposure, unauthorized actions, and potential compromise of sensitive information within the affected accounts.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your GitHub Enterprise Server to one of the fixed versions: 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, or 3.14.26.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4296. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart