Improper Authorization Vulnerability in GitHub Enterprise Server
CVE-2026-5845

7.2HIGH

Key Information:

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-5845?

An improper authorization vulnerability exists in token authorization for scoped user-to-server interactions within GitHub Enterprise Server. This flaw enables an authenticated attacker to gain unauthorized access to private repositories, potentially allowing for write operations beyond the intended scope. The root cause involves an authorization fallback that treated a revoked or deleted installation as if it retained global installation privileges. This issue can be exploited in conjunction with token revocation timing and SSH push attribution, allowing misuse of tokens specific to a victim’s context. Affected versions include all prior to 3.21, with multiple fixes applied in subsequent versions.

Affected Version(s)

Enterprise Server 3.20.0 < 3.20.1

Enterprise Server 3.19.0 <= 3.19.4

Enterprise Server 3.18.0 <= 3.18.7

References

https://docs.github.com/en/enterprise-server@3.20/admin/r...

https://docs.github.com/en/enterprise-server@3.19/admin/r...

https://docs.github.com/en/enterprise-server@3.18/admin/r...

CVSS V4

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

ahacker1

CVE-2026-5845 Data

JSON