CVE-2026-15783
Received Received - Intake

Authorization Bypass in GitHub Enterprise Server

Vulnerability report for CVE-2026-15783, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc. (Products Only)

Description

A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with write access to any repository to read metadata from private repositories they did not have access to, including private repository owners and names, branch names, commit SHAs, commit messages, and the pushing actor. The delegated bypass endpoint resolved a rule suite directly from an attacker-supplied, encoded identifier without verifying that the requesting user could read the rule suite's repository, and because these identifiers are sequential an attacker could enumerate them across the instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
github enterprise_server to 3.22 (exc)
github enterprise_server 3.17.18
github enterprise_server 3.18.12
github enterprise_server 3.19.9
github enterprise_server 3.20.5
github enterprise_server 3.21.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a missing authorization vulnerability in GitHub Enterprise Server. An authenticated user with write access to any repository could read metadata from private repositories they did not have access to. This includes private repository names, branch names, commit SHAs, commit messages, and the pushing actor. The vulnerability existed because a delegated bypass endpoint resolved a rule suite directly from an attacker-supplied, encoded identifier without verifying user access to the rule suite's repository. Attackers could enumerate these identifiers sequentially across the instance.

Detection Guidance

This vulnerability involves unauthorized access to private repository metadata via a missing authorization check. To detect it, review GitHub Enterprise Server logs for unusual access patterns to rule suite endpoints, particularly requests with encoded identifiers. Check for sequential enumeration attempts or unauthorized reads of private repository details by users without explicit access.

Impact Analysis

If you are a GitHub Enterprise Server user with write access to any repository, an attacker with similar access could potentially access metadata from private repositories you own or manage. This could expose sensitive information like repository names, branch structures, commit details, and user activity without proper authorization.

Compliance Impact

This vulnerability could lead to unauthorized access to private repository metadata, potentially exposing sensitive information. For GDPR, this may violate principles of data minimization and security. For HIPAA, if repository data includes protected health information, unauthorized access could breach compliance requirements.

Mitigation Strategies

Update GitHub Enterprise Server to version 3.17.18, 3.18.12, 3.19.9, 3.20.5, or 3.21.3 or later to address the missing authorization vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15783. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart