CVE-2026-14340: CWE-863: Incorrect Authorization in GitHub Enterprise Server
CVE-2026-14340 is an incorrect authorization vulnerability in GitHub Enterprise Server allowing a user-to-server token scoped to a GitHub App installation to perform unauthorized write operations on public repositories outside its intended scope. The flaw arose because the authorization check only verified read permissions on the target repository rather than confirming explicit access granted to the token's installation. Exploitation could let an attacker create issues, comments, and private vulnerability reports on any public repository, impersonating the victim user without revealing app involvement. This issue affects GitHub Enterprise Server versions 3.16.0, 3.17.0, 3.18.0, 3.19.0, 3.20.0, and 3.21.0 and was fixed in later patch releases.
AI Analysis
Technical Summary
An incorrect authorization vulnerability (CWE-863) in GitHub Enterprise Server allowed user-to-server tokens scoped to GitHub App installations to perform certain write operations on public repositories beyond their intended scope. The authorization logic only checked if the installation had read permissions on the target repository, failing to verify explicit access for the token's installation. This permitted attackers who obtained a victim's token to create issues, issue comments, commit comments, and private vulnerability reports on any public repository, impersonating the victim user without indication of app involvement. The vulnerability affects all versions prior to 3.22 and was fixed by adding a repository scope check for user-to-server tokens issued by global apps. Fixed versions include 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, and 3.16.20.
Potential Impact
An attacker with access to a victim's user-to-server token could perform unauthorized write operations on any public repository, including creating issues, comments, and private vulnerability reports. These actions would appear as if performed by the victim user, with no indication of GitHub App involvement. This could lead to unauthorized modifications and potential misinformation or abuse of repository issue tracking and vulnerability reporting features.
Mitigation Recommendations
This vulnerability has been fixed in GitHub Enterprise Server versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, and 3.16.20 by adding repository scope checks for user-to-server tokens issued by global apps. Users should upgrade affected GitHub Enterprise Server instances to one of these fixed versions or later. Patch status is confirmed by the vendor advisory. No additional mitigations are indicated.
CVE-2026-14340: CWE-863: Incorrect Authorization in GitHub Enterprise Server
Description
CVE-2026-14340 is an incorrect authorization vulnerability in GitHub Enterprise Server allowing a user-to-server token scoped to a GitHub App installation to perform unauthorized write operations on public repositories outside its intended scope. The flaw arose because the authorization check only verified read permissions on the target repository rather than confirming explicit access granted to the token's installation. Exploitation could let an attacker create issues, comments, and private vulnerability reports on any public repository, impersonating the victim user without revealing app involvement. This issue affects GitHub Enterprise Server versions 3.16.0, 3.17.0, 3.18.0, 3.19.0, 3.20.0, and 3.21.0 and was fixed in later patch releases.
CVSS v4.0
Score 5.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
An incorrect authorization vulnerability (CWE-863) in GitHub Enterprise Server allowed user-to-server tokens scoped to GitHub App installations to perform certain write operations on public repositories beyond their intended scope. The authorization logic only checked if the installation had read permissions on the target repository, failing to verify explicit access for the token's installation. This permitted attackers who obtained a victim's token to create issues, issue comments, commit comments, and private vulnerability reports on any public repository, impersonating the victim user without indication of app involvement. The vulnerability affects all versions prior to 3.22 and was fixed by adding a repository scope check for user-to-server tokens issued by global apps. Fixed versions include 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, and 3.16.20.
Potential Impact
An attacker with access to a victim's user-to-server token could perform unauthorized write operations on any public repository, including creating issues, comments, and private vulnerability reports. These actions would appear as if performed by the victim user, with no indication of GitHub App involvement. This could lead to unauthorized modifications and potential misinformation or abuse of repository issue tracking and vulnerability reporting features.
Mitigation Recommendations
This vulnerability has been fixed in GitHub Enterprise Server versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, and 3.16.20 by adding repository scope checks for user-to-server tokens issued by global apps. Users should upgrade affected GitHub Enterprise Server instances to one of these fixed versions or later. Patch status is confirmed by the vendor advisory. No additional mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_P
- Date Reserved
- 2026-07-01T13:42:35.041Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a45818a27e9c7971923a345
Added to database: 07/01/2026, 21:07:22 UTC
Last enriched: 07/01/2026, 21:21:47 UTC
Last updated: 07/01/2026, 21:55:48 UTC
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.