URL Redirection Vulnerability in GitHub Enterprise Server
CVE-2026-0573

7.6HIGH

Key Information:

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 18 February 2026

What is CVE-2026-0573?

An URL redirection vulnerability in GitHub Enterprise Server allows attackers to leverage improper handling of HTTP redirects. Exploiting this flaw enables malicious actors to redirect authenticated users to unauthorized domains, resulting in the potential exfiltration of sensitive authorization tokens like the Actions.ManageOrgs JWT. This can lead to unauthorized access or even remote code execution if the tokens are misused. The vulnerability affects all versions of GitHub Enterprise Server prior to 3.19 and has been addressed in multiple updates, including versions 3.19.2, 3.18.4, and earlier releases.

Affected Version(s)

Enterprise Server 3.14 <= 3.14.21

Enterprise Server 3.15 <= 3.15.16

References

https://docs.github.com/en/enterprise-server@3.14/admin/r...

release-notes

https://docs.github.com/en/enterprise-server@3.15/admin/r...

release-notes

https://docs.github.com/en/enterprise-server@3.16/admin/r...

release-notes

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Jan 2, 2026

Credit

R31n

CVE-2026-0573 Data

JSON

Github

What is CVE-2026-0573?

Affected Version(s)

References

CVSS V4

Timeline

Credit