CVE-2026-1999 is an incorrect authorization vulnerability (CWE-863) in GitHub Enterprise Server that enables an attacker to bypass normal access controls and merge pull requests without having push permissions. The vulnerability arises from improper authorization checks in the enable_auto_merge GraphQL mutation for pull requests. Specifically, the flaw allows an attacker who can open a pull request from a forked repository to a target repository to merge their changes if the pull request is in a clean state and the target branch does not have branch protection rules enabled. This bypass circumvents the intended restriction that only users with push access can merge pull requests. The vulnerability affects GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was responsibly disclosed via the GitHub Bug Bounty program. Exploitation requires authenticated access with at least limited permissions to create pull requests but does not require user interaction beyond that. The vulnerability has a CVSS 4.0 base score of 7.1, reflecting its network attack vector, low attack complexity, partial privileges required, no user interaction, and high impact on integrity. There are no known public exploits or reports of active exploitation in the wild. The issue is mitigated by applying the vendor patches and by enabling branch protection rules on critical branches to prevent unauthorized merges.

For European organizations using GitHub Enterprise Server, this vulnerability poses a significant risk to the integrity of their source code repositories. An attacker exploiting this flaw could merge unauthorized code changes, potentially introducing malicious code, backdoors, or vulnerabilities into production software. This could lead to compromised software supply chains, intellectual property theft, or disruption of development workflows. The impact is especially critical for organizations with sensitive or regulated software development processes, such as financial institutions, healthcare providers, and critical infrastructure operators. Since the vulnerability requires repositories to allow forking and branches without protection, organizations with less stringent repository policies are at higher risk. The ability to bypass push access controls undermines trust in code review and approval processes, potentially leading to reputational damage and compliance violations under European data protection and cybersecurity regulations.

European organizations should immediately verify their GitHub Enterprise Server versions and upgrade to 3.19.2, 3.18.5, or 3.17.11 or later to apply the official patches. In parallel, organizations should enforce branch protection rules on all critical branches to prevent unauthorized merges, including requiring status checks, code reviews, and restricting who can push or merge. Restrict repository forking permissions where possible, especially for sensitive projects, to reduce the attack surface. Review and tighten user permissions to ensure that only trusted users can create pull requests or enable auto-merge features. Implement monitoring and alerting on unusual pull request merges or auto-merge enablement activities. Conduct audits of recent merges for suspicious activity. Finally, educate development teams about the importance of branch protection and secure repository configuration to prevent similar risks.