CVE-2026-3307: CWE-639 Authorization Bypass Through User-Controlled Key in GitHub Enterprise Server
An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers; it does not allow adding arbitrary external users. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.
AI Analysis
Technical Summary
This vulnerability arises because authorization checks are performed against the repository specified in the URL, but the action is applied to a different repository specified in the request body. An attacker with admin rights on one repository can exploit this to modify the delegated bypass reviewer list on another repository by manipulating the owner_id parameter. The impact is limited to assigning existing trusted users as bypass reviewers, without the ability to add arbitrary external users. The flaw affects GitHub Enterprise Server versions before 3.21 and was addressed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, and 3.20.1. The vulnerability was responsibly disclosed via the GitHub Bug Bounty program.
Potential Impact
An attacker with admin access on one repository can bypass authorization controls to modify the secret scanning push protection delegated bypass reviewer list on another repository. This could allow assigning trusted users as bypass reviewers on repositories where the attacker does not have admin rights. However, the attacker cannot add arbitrary external users, limiting the scope of potential misuse. The vulnerability could weaken secret scanning protections by altering reviewer assignments.
Mitigation Recommendations
Fixed versions are available: 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, and 3.20.1. Users of affected GitHub Enterprise Server versions should upgrade to one of these patched releases to remediate the vulnerability. No additional mitigation steps are indicated beyond applying the official patches.
CVE-2026-3307: CWE-639 Authorization Bypass Through User-Controlled Key in GitHub Enterprise Server
Description
An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers; it does not allow adding arbitrary external users. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises because authorization checks are performed against the repository specified in the URL, but the action is applied to a different repository specified in the request body. An attacker with admin rights on one repository can exploit this to modify the delegated bypass reviewer list on another repository by manipulating the owner_id parameter. The impact is limited to assigning existing trusted users as bypass reviewers, without the ability to add arbitrary external users. The flaw affects GitHub Enterprise Server versions before 3.21 and was addressed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, and 3.20.1. The vulnerability was responsibly disclosed via the GitHub Bug Bounty program.
Potential Impact
An attacker with admin access on one repository can bypass authorization controls to modify the secret scanning push protection delegated bypass reviewer list on another repository. This could allow assigning trusted users as bypass reviewers on repositories where the attacker does not have admin rights. However, the attacker cannot add arbitrary external users, limiting the scope of potential misuse. The vulnerability could weaken secret scanning protections by altering reviewer assignments.
Mitigation Recommendations
Fixed versions are available: 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, and 3.20.1. Users of affected GitHub Enterprise Server versions should upgrade to one of these patched releases to remediate the vulnerability. No additional mitigation steps are indicated beyond applying the official patches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_P
- Date Reserved
- 2026-02-26T21:00:43.352Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7faaa19fe3cd2cd00147c
Added to database: 4/21/2026, 10:31:06 PM
Last enriched: 4/21/2026, 10:47:23 PM
Last updated: 4/22/2026, 7:19:37 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.