Missing Authorization Vulnerability in GitHub Enterprise Server
CVE-2026-15783

5.3MEDIUM

Key Information:

Vendor

Github

Vendor
CVE Published:
17 July 2026

What is CVE-2026-15783?

A missing authorization vulnerability was discovered in GitHub Enterprise Server. This flaw enables an authenticated user with write access to any repository to access metadata from private repositories they should not have access to. Details such as private repository owners, branch names, commit SHAs, commit messages, and pushing actor can be extracted. The vulnerability arises from a compromised endpoint that processes attacker-supplied, encoded identifiers, bypassing necessary authorizations. This issue affects all versions prior to 3.22 and has been addressed in subsequent releases.

Affected Version(s)

Enterprise Server 3.17.0 <= 3.17.17

Enterprise Server 3.17.0 <= 3.17.17

Enterprise Server 3.18.0 <= 3.18.11

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ahmed Mamdoh (0hmz)
.