Authentication Bypass in GitHub Enterprise Server
CVE-2026-6736

6.3MEDIUM

Key Information:

Vendor

Github
Status
Enterprise Server
Vendor
CVE Published:
7 May 2026

What is CVE-2026-6736?

An authentication bypass vulnerability has been discovered in GitHub Enterprise Server, allowing attackers to create local user accounts without validation by the external identity provider. This flaw arises when external authentication is enabled but the signup endpoint fails to enforce necessary restrictions. As a result, attackers with network access to a misconfigured GitHub Enterprise Server instance can exploit this vulnerability to establish accounts and initiate sessions with default base permissions. All versions prior to 3.21 are affected, highlighting the need for prompt updates to versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, or 3.16.18.

Affected Version(s)

Enterprise Server 3.16.0 <= 3.16.17

Enterprise Server 3.16.0 <= 3.16.17

Enterprise Server 3.17.0 <= 3.17.14

References

https://docs.github.com/en/enterprise-server@3.16/admin/r...
release-notes
https://docs.github.com/en/enterprise-server@3.17/admin/r...
release-notes
https://docs.github.com/en/enterprise-server@3.18/admin/r...
release-notes

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.