CVE-2026-3582 is an Incorrect Authorization vulnerability (CWE-862) found in GitHub Enterprise Server prior to version 3.20. The flaw allows an authenticated user possessing a classic personal access token (PAT) that lacks the 'repo' scope to retrieve sensitive data such as issues and commits from private and internal repositories. This is possible via the search REST API endpoints, which improperly authorize access based solely on the user's existing repository membership or collaborator status, without verifying the PAT's scope. The vulnerability affects versions 3.16.0 through 3.19.0 and was addressed in patch releases 3.16.15, 3.17.12, 3.18.6, and 3.19.3. The issue was responsibly disclosed through the GitHub Bug Bounty program. The CVSS 4.0 base score is 5.3 (medium), reflecting network attack vector, low complexity, no user interaction, and limited impact on confidentiality. No known public exploits exist, and exploitation requires valid authentication and existing repository access, limiting the attack surface. The vulnerability highlights a gap in scope validation for PATs in API authorization logic.

The vulnerability could lead to unauthorized disclosure of repository issues and commit data to authenticated users who do not have the appropriate PAT scope but do have repository membership or collaboration rights. This may expose sensitive project information, internal discussions, or code changes that organizations intended to restrict. While the impact is limited to users with some level of repository access, it undermines the principle of least privilege by allowing broader data access than intended. For organizations relying on GitHub Enterprise Server for secure code hosting and collaboration, this could increase insider threat risks or accidental data leaks. The lack of known exploits reduces immediate risk, but the widespread use of GitHub Enterprise Server in enterprises globally means many organizations could be affected if not patched. The vulnerability does not allow privilege escalation or access to repositories without membership, limiting its severity but still posing a confidentiality risk.

Organizations should promptly upgrade GitHub Enterprise Server to versions 3.16.15, 3.17.12, 3.18.6, 3.19.3, or later to apply the official fix. Until patched, administrators should audit and restrict the issuance of classic personal access tokens, ensuring tokens have appropriate scopes and are only granted to trusted users. Review repository membership and collaborator lists to minimize unnecessary access. Implement monitoring of API usage patterns for anomalous search queries that could indicate exploitation attempts. Consider enforcing the use of fine-grained personal access tokens where possible, as they provide better scope control. Regularly review GitHub Enterprise Server security advisories and subscribe to vendor notifications for timely updates. Conduct internal security awareness training to inform users about the risks of token misuse and the importance of scope restrictions.