CVE-2026-9106
Received
Received - Intake
UI Misrepresentation in GitHub Enterprise Server
Vulnerability report for CVE-2026-9106, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-30
Last updated on: 2026-06-30
Assigner: GitHub, Inc. (Products Only)
Description
Description
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| github | enterprise_server | to 3.22 (exc) |
| github | enterprise_server | 3.21.2 |
| github | enterprise_server | 3.20.4 |
| github | enterprise_server | 3.19.8 |
| github | enterprise_server | 3.18.11 |
| github | enterprise_server | 3.17.17 |
| github | enterprise_server | 3.16.20 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-451 | The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. |