CVE-2026-9106
Received Received - Intake

UI Misrepresentation in GitHub Enterprise Server

Vulnerability report for CVE-2026-9106, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: GitHub, Inc. (Products Only)

Description

A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
github enterprise_server to 3.22 (exc)
github enterprise_server 3.21.2
github enterprise_server 3.20.4
github enterprise_server 3.19.8
github enterprise_server 3.18.11
github enterprise_server 3.17.17
github enterprise_server 3.16.20

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-451 The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a UI misrepresentation issue in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management.

An attacker could exploit this by creating an OAuth application that requests the manage_runners:org scope and then directing a victim user to authorize it. The problem was that this scope was not displayed on the authorization consent screen, so the user was unaware of the permissions being granted.

This affected all versions of GitHub Enterprise Server prior to version 3.22 and was fixed in several patch versions including 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, and 3.16.20.

Impact Analysis

This vulnerability can impact you by allowing an attacker to gain unauthorized access to your organization's runner management in GitHub Enterprise Server.

Since the attacker can manage runners, they could potentially manipulate or control the runners used for your organization's workflows, which could lead to unauthorized code execution or disruption of your CI/CD pipelines.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your GitHub Enterprise Server to one of the fixed versions: 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, or 3.16.20.

This vulnerability affects all versions prior to 3.22, so applying the update will prevent OAuth applications from gaining unintended access to organization runner management.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9106. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart