CVE-2026-6736
Analyzed Analyzed - Analysis Complete
Authentication Bypass in GitHub Enterprise Server

Publication date: 2026-05-07

Last updated on: 2026-05-11

Assigner: GitHub, Inc. (Products Only)

Description
An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the authentication restriction, allowing account creation and session establishment without identity provider validation. The created account was limited to the default base permissions configured on the instance. Exploitation required network access to a GHES instance configured with an external authentication provider. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-6736
EUVD
EUVD-2026-28461
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
github enterprise_server From 3.20.0 (inc) to 3.20.2 (exc)
github enterprise_server to 3.16.18 (exc)
github enterprise_server From 3.17.0 (inc) to 3.17.15 (exc)
github enterprise_server From 3.18.0 (inc) to 3.18.9 (exc)
github enterprise_server From 3.19.0 (inc) to 3.19.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authentication bypass in GitHub Enterprise Server. It allows an unauthenticated attacker to create a local user account even when external authentication is enabled. Normally, the external identity provider should restrict account creation, but due to this flaw, the signup endpoint does not properly enforce this restriction. As a result, an attacker can create an account and establish a session without going through the identity provider.

The created account has only the default base permissions configured on the instance. Exploitation requires network access to a GitHub Enterprise Server instance that is configured with an external authentication provider. This issue affects all versions prior to 3.21 and was fixed in specific patch versions.

Impact Analysis

This vulnerability can impact you by allowing an attacker to bypass authentication controls and create a local user account on your GitHub Enterprise Server instance without proper validation. Although the attacker only gains the default base permissions, this unauthorized access could lead to unauthorized actions within the system, potential data exposure, or further exploitation depending on the permissions and configurations.

Since exploitation requires network access to the affected instance, the risk is limited to environments where an attacker can reach the server. However, any unauthorized account creation undermines the security model relying on external identity providers.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your GitHub Enterprise Server to one of the fixed versions: 3.20.2, 3.19.6, 3.18.9, 3.17.15, or 3.16.18.

Ensure that external authentication providers are properly configured and that the signup endpoint enforces authentication restrictions.

Compliance Impact

This vulnerability allows an unauthenticated attacker to create a local user account on GitHub Enterprise Server instances configured with external authentication providers, bypassing identity provider validation.

Such unauthorized account creation could potentially lead to unauthorized access to sensitive data or systems, which may impact compliance with standards and regulations like GDPR or HIPAA that require strict access controls and identity verification.

However, the created account is limited to default base permissions, which may mitigate some risks but does not eliminate the compliance concerns related to authentication bypass.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6736. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart