CVE-2026-14340
Received Received - Intake

Incorrect Authorization in GitHub Enterprise Server

Vulnerability report for CVE-2026-14340, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc. (Products Only)

Description

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a user-to-server token scoped to a GitHub App installation to perform certain write operations on public repositories outside the token's intended scope. This was possible because the authorization check only verified that the installation had read permissions on the target repository rather than verifying that the token's installation was explicitly granted access to that repository. An attacker who obtained a victim's user-to-server token could create issues, issue comments, commit comments, and private vulnerability reports on any public repository, appearing as the victim user with no indication of the app involvement. This vulnerability was fixed by adding a repository scope check for user-to-server tokens issued by global apps. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
github enterprise_server to 3.22 (exc)
github enterprise_server 3.21.2
github enterprise_server 3.20.4
github enterprise_server 3.19.8
github enterprise_server 3.18.11
github enterprise_server 3.17.17
github enterprise_server 3.16.20

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an incorrect authorization issue in GitHub Enterprise Server. It allowed a user-to-server token, which was supposed to be limited to a specific GitHub App installation, to perform certain write operations on public repositories outside its intended scope.

The problem occurred because the authorization check only verified that the installation had read permissions on the target repository, rather than confirming that the token's installation was explicitly granted access to that repository.

An attacker who obtained a victim's user-to-server token could create issues, issue comments, commit comments, and private vulnerability reports on any public repository, making these actions appear as if performed by the victim user without any indication of the app's involvement.

The vulnerability was fixed by adding a repository scope check for user-to-server tokens issued by global apps.

Impact Analysis

If exploited, this vulnerability could allow an attacker to perform unauthorized write operations on public repositories using a victim's user-to-server token.

  • Create issues on public repositories appearing as the victim user.
  • Post issue comments and commit comments impersonating the victim.
  • Submit private vulnerability reports on any public repository under the victim's identity.

This could lead to reputational damage, unauthorized changes, and potential misuse of the victim's identity within GitHub Enterprise Server.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your GitHub Enterprise Server to one of the fixed versions: 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, or 3.16.20.

This vulnerability affects all versions prior to 3.22, so applying the update will ensure the authorization check includes the necessary repository scope verification for user-to-server tokens.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14340. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart