Authorization Issue in GitHub Enterprise Server by GitHub
CVE-2026-14340

5.3MEDIUM

Key Information:

Vendor

Github

Vendor
CVE Published:
1 July 2026

What is CVE-2026-14340?

An incorrect authorization vulnerability in GitHub Enterprise Server allowed a user-to-server token with limited scope to perform unauthorized write operations on public repositories. This occurred because the authorization check inadequately verified the installation's explicit access permission for the target repository. As a result, an attacker could exploit a compromised user-to-server token to create issues, comments, and vulnerability reports as the victim user, obscuring the involvement of the GitHub App. A fix has been implemented that introduced an authorization scope check for these tokens, improving the security for all users.

Affected Version(s)

Enterprise Server Linux 3.16.0 <= 3.16.19

Enterprise Server Linux 3.16.0 <= 3.16.19

Enterprise Server Linux 3.17.0 <= 3.17.16

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

ahacker1
.