CVE-2026-0573 is an open redirect vulnerability (CWE-601) identified in GitHub Enterprise Server affecting versions 3.14 through 3.19. The vulnerability arises from the repository_pages API insecurely following HTTP redirects when fetching artifact URLs. During this process, the server preserves the Authorization header containing a privileged JWT token (Actions.ManageOrgs). An authenticated user with limited privileges can manipulate legacy redirects to point to attacker-controlled domains. When the server follows these redirects, it sends the sensitive JWT token to the attacker’s domain, enabling token exfiltration. The leaked token grants elevated privileges that could be used to perform remote code execution or other high-impact actions within the GitHub Enterprise environment. Exploitation requires authenticated access to the GitHub Enterprise Server and the ability to trigger legacy redirects. The vulnerability was responsibly disclosed via the GitHub Bug Bounty program and fixed in versions 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, and 3.14.22. The CVSS 4.0 base score is 7.6 (high severity), reflecting network attack vector, low attack complexity, partial privileges required, no user interaction, and high impact on confidentiality and integrity. No known public exploits have been reported to date.

For European organizations, this vulnerability poses a significant risk due to the potential leakage of privileged JWT tokens that control organization-level actions within GitHub Enterprise Server. Unauthorized access to these tokens can lead to privilege escalation, unauthorized repository or organization management, and potentially remote code execution within the enterprise environment. This could result in data breaches, intellectual property theft, disruption of software development workflows, and compromise of internal infrastructure. Organizations relying heavily on GitHub Enterprise Server for source code management and CI/CD pipelines are particularly at risk. The attack requires authenticated access, so insider threats or compromised user credentials increase the risk. Given the widespread use of GitHub Enterprise Server in Europe’s technology, finance, and government sectors, the impact could be broad and severe if unpatched.

European organizations should immediately verify their GitHub Enterprise Server version and upgrade to the fixed releases (3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, or 3.14.22) to remediate this vulnerability. Additionally, administrators should audit legacy redirect configurations and disable or restrict any unnecessary redirects that could be exploited. Implement strict network segmentation and monitoring to detect unusual outbound requests from GitHub Enterprise Server instances. Review and rotate JWT tokens and credentials associated with Actions.ManageOrgs privileges to invalidate any potentially leaked tokens. Employ robust authentication and access controls to limit the number of users with authenticated access to GitHub Enterprise Server. Enable detailed logging and alerting on suspicious API calls or redirect usage. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block open redirect attempts targeting internal services. Finally, conduct regular security assessments and penetration tests focused on internal tools like GitHub Enterprise Server to identify similar risks proactively.