CVE-2026-6736
Authentication Bypass in GitHub Enterprise Server
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc. (Products Only)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| github | enterprise_server | to 3.21 (exc) |
| github | enterprise_server | 3.20.2 |
| github | enterprise_server | 3.19.6 |
| github | enterprise_server | 3.18.9 |
| github | enterprise_server | 3.17.15 |
| github | enterprise_server | 3.16.18 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authentication bypass in GitHub Enterprise Server. It allows an unauthenticated attacker to create a local user account even when external authentication is enabled. Normally, the external identity provider should restrict account creation, but due to this flaw, the signup endpoint does not properly enforce this restriction. As a result, an attacker can create an account and establish a session without going through the identity provider.
The created account has only the default base permissions configured on the instance. Exploitation requires network access to a GitHub Enterprise Server instance that is configured with an external authentication provider. This issue affects all versions prior to 3.21 and was fixed in specific patch versions.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to bypass authentication controls and create a local user account on your GitHub Enterprise Server instance without proper validation. Although the attacker only gains the default base permissions, this unauthorized access could lead to unauthorized actions within the system, potential data exposure, or further exploitation depending on the permissions and configurations.
Since exploitation requires network access to the affected instance, the risk is limited to environments where an attacker can reach the server. However, any unauthorized account creation undermines the security model relying on external identity providers.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your GitHub Enterprise Server to one of the fixed versions: 3.20.2, 3.19.6, 3.18.9, 3.17.15, or 3.16.18.
Ensure that external authentication providers are properly configured and that the signup endpoint enforces authentication restrictions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated attacker to create a local user account on GitHub Enterprise Server instances configured with external authentication providers, bypassing identity provider validation.
Such unauthorized account creation could potentially lead to unauthorized access to sensitive data or systems, which may impact compliance with standards and regulations like GDPR or HIPAA that require strict access controls and identity verification.
However, the created account is limited to default base permissions, which may mitigate some risks but does not eliminate the compliance concerns related to authentication bypass.