Authorization Issue in GitHub Enterprise Server by GitHub
CVE-2026-14340
What is CVE-2026-14340?
An incorrect authorization vulnerability in GitHub Enterprise Server allowed a user-to-server token with limited scope to perform unauthorized write operations on public repositories. This occurred because the authorization check inadequately verified the installation's explicit access permission for the target repository. As a result, an attacker could exploit a compromised user-to-server token to create issues, comments, and vulnerability reports as the victim user, obscuring the involvement of the GitHub App. A fix has been implemented that introduced an authorization scope check for these tokens, improving the security for all users.
Affected Version(s)
Enterprise Server Linux 3.16.0 <= 3.16.19
Enterprise Server Linux 3.16.0 <= 3.16.19
Enterprise Server Linux 3.17.0 <= 3.17.16