CVE-2026-3306 is an improper authorization vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in GitHub Enterprise Server versions 3.14.0 to 3.19.0. The vulnerability arises from insufficient permission checks when a user with read access to a repository and write access to a project attempts to add an existing item (such as an issue or pull request) to a project board. Specifically, when adding such an item, the system updates column values without verifying whether the user has write permissions on the repository itself. This flaw enables an attacker to modify metadata related to issues and pull requests, potentially altering project tracking information without proper authorization. The vulnerability was discovered and reported through GitHub's Bug Bounty program and has been addressed in subsequent patch releases. The CVSS 4.0 vector indicates the attack can be performed remotely over the network without user interaction or additional privileges beyond those stated. While the impact on confidentiality and availability is minimal, the integrity of project metadata can be compromised, potentially misleading project management and workflow processes. No public exploits have been observed, but the vulnerability poses a risk to organizations relying on GitHub Enterprise Server for secure project and code management.

The primary impact of CVE-2026-3306 is the unauthorized modification of issue and pull request metadata within GitHub Enterprise Server projects. This can lead to inaccurate project tracking, misrepresentation of issue or pull request status, and potential disruption of development workflows. While it does not directly expose source code or allow code execution, the integrity compromise can undermine trust in project data and cause confusion among development teams. Organizations with strict compliance or audit requirements may face challenges if project metadata is altered without proper authorization. Additionally, attackers could leverage this flaw to manipulate project priorities or hide critical issues, indirectly affecting the security posture or release timelines. Since the vulnerability requires only read access to repositories and write access to projects, it expands the threat surface to users with limited privileges, increasing the risk of insider threats or compromised accounts being exploited. The lack of known exploits reduces immediate risk but does not eliminate the potential for future abuse.

To mitigate CVE-2026-3306, organizations should immediately upgrade GitHub Enterprise Server to one of the patched versions: 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, or 3.19.3. In addition to patching, administrators should audit user permissions to ensure the principle of least privilege is enforced, limiting write access to projects only to trusted users. Monitoring and logging project metadata changes can help detect unauthorized modifications. Implementing strict access controls and regular reviews of project boards and issue trackers can reduce the risk of unnoticed tampering. Organizations should also educate users about the importance of safeguarding their credentials to prevent account compromise. Finally, integrating automated security tools that detect anomalous changes in project metadata or unusual user activity can provide early warning signs of exploitation attempts.