OAuth Redirect URI Validation Bypass in GitHub Enterprise Server
CVE-2026-4296

7.5HIGH

Key Information:

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-4296?

An issue exists within GitHub Enterprise Server that stems from an incorrect regular expression, enabling attackers to bypass OAuth redirect URI validation. By targeting a specific OAuth application's registered callback URL, an attacker might create a malicious authorization link. When a user clicks this link, they can be redirected to an attacker-controlled domain, putting their account's scopes at risk. Users are advised to upgrade to the latest versions to mitigate this vulnerability.

Affected Version(s)

Enterprise Server 3.14.0 <= 3.14.25

Enterprise Server 3.15.0 <= 3.15.20

References

https://docs.github.com/en/enterprise-server@3.14/admin/r...

release-notes

https://docs.github.com/en/enterprise-server@3.15/admin/r...

release-notes

https://docs.github.com/en/enterprise-server@3.16/admin/r...

release-notes

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Mar 16, 2026

Credit

ahacker1

hacktron

CVE-2026-4296 Data

JSON

Github

What is CVE-2026-4296?

Affected Version(s)

References

CVSS V4

Timeline

Credit