CVE-2026-3306 is an improper authorization vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) found in GitHub Enterprise Server versions 3.14.0 to 3.19.0. The vulnerability stems from insufficient permission checks when users add items to projects that already exist. Specifically, a user with read access to a repository and write access to a project can update issue and pull request metadata by manipulating project columns without having the necessary repository write permissions. This occurs because the system fails to verify the actor's repository write permissions before applying column value updates. The flaw could allow unauthorized modification of metadata associated with issues and pull requests, potentially impacting project management and tracking integrity. The vulnerability was discovered and reported through GitHub's Bug Bounty program and has been addressed in subsequent patch releases. The CVSS 4.0 vector indicates the attack can be performed remotely without user interaction, requires low privileges (limited to users with read and project write access), and results in low impact on integrity and availability, with no impact on confidentiality or system scope. No public exploits have been observed, but the vulnerability poses a risk to organizations relying on GitHub Enterprise Server for internal development workflows.

The primary impact of CVE-2026-3306 is unauthorized modification of issue and pull request metadata within GitHub Enterprise Server projects. This can undermine the integrity of project tracking, cause confusion in development workflows, and potentially lead to incorrect project management decisions. While it does not directly expose confidential data or disrupt availability, the ability to alter metadata without proper authorization can facilitate further social engineering or insider threat activities. Organizations using affected versions may experience reduced trust in their project management data and increased risk of manipulation by users with limited privileges. Since GitHub Enterprise Server is widely used by enterprises for source code and project management, this vulnerability could affect software development lifecycles and compliance with internal controls. The medium CVSS score reflects moderate risk, but the impact could be more severe in environments with strict governance or regulatory requirements.

To mitigate CVE-2026-3306, organizations should immediately upgrade GitHub Enterprise Server to one of the fixed versions: 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, or 3.19.3. Until patches are applied, restrict project write permissions to trusted users only and audit existing project memberships to minimize exposure. Implement monitoring and alerting on unusual modifications to issue and pull request metadata to detect potential exploitation attempts. Review and tighten repository and project permission configurations to ensure least privilege principles are enforced. Additionally, educate users about the risks of improper permission assignments and encourage reporting of suspicious project activity. Regularly review GitHub Enterprise Server security advisories and integrate patch management into the organization's DevOps pipeline to ensure timely updates. Finally, consider isolating critical repositories or projects to reduce the blast radius of potential misuse.