CVE-2026-5845: CWE-639 Authorization bypass through User-Controlled key in GitHub Enterprise Server
CVE-2026-5845 is an authorization bypass vulnerability in GitHub Enterprise Server affecting versions prior to 3. 21. It allows an authenticated attacker to access private repositories outside the intended installation scope, potentially including write operations. The issue arises from an authorization fallback treating a revoked or deleted installation as a global installation context. This can be exploited by chaining token revocation timing and SSH push attribution to reuse a victim-scoped token. The vulnerability has a high severity score of 7. 2 and was fixed in versions 3. 20. 1 and later. No known exploits in the wild have been reported.
AI Analysis
Technical Summary
This vulnerability involves improper authorization in scoped user-to-server (ghu_) token authorization within GitHub Enterprise Server. Specifically, when an installation is revoked or deleted, the authorization fallback incorrectly treats it as a global context, enabling an attacker with authenticated access to use a victim's scoped token to access private repositories beyond their intended scope. This can include write access. The flaw affects all versions prior to 3.21 and was addressed by GitHub in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. The vulnerability was responsibly disclosed via GitHub's Bug Bounty program.
Potential Impact
An authenticated attacker with a scoped token can bypass intended authorization boundaries to access private repositories outside the installation scope, potentially performing write operations. This could lead to unauthorized code changes or data exposure within private repositories on affected GitHub Enterprise Server instances. The CVSS 4.0 score of 7.2 reflects high impact on confidentiality and integrity with low attack vector (local network or system access) and low complexity.
Mitigation Recommendations
This vulnerability has been fixed in GitHub Enterprise Server versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. Users should upgrade affected GitHub Enterprise Server instances to one of these fixed versions or later to remediate the issue. Patch status is confirmed by the vendor advisory embedded in the description. No additional mitigation steps are indicated.
CVE-2026-5845: CWE-639 Authorization bypass through User-Controlled key in GitHub Enterprise Server
Description
CVE-2026-5845 is an authorization bypass vulnerability in GitHub Enterprise Server affecting versions prior to 3. 21. It allows an authenticated attacker to access private repositories outside the intended installation scope, potentially including write operations. The issue arises from an authorization fallback treating a revoked or deleted installation as a global installation context. This can be exploited by chaining token revocation timing and SSH push attribution to reuse a victim-scoped token. The vulnerability has a high severity score of 7. 2 and was fixed in versions 3. 20. 1 and later. No known exploits in the wild have been reported.
CVSS v4.0
Score 7.2high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves improper authorization in scoped user-to-server (ghu_) token authorization within GitHub Enterprise Server. Specifically, when an installation is revoked or deleted, the authorization fallback incorrectly treats it as a global context, enabling an attacker with authenticated access to use a victim's scoped token to access private repositories beyond their intended scope. This can include write access. The flaw affects all versions prior to 3.21 and was addressed by GitHub in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. The vulnerability was responsibly disclosed via GitHub's Bug Bounty program.
Potential Impact
An authenticated attacker with a scoped token can bypass intended authorization boundaries to access private repositories outside the installation scope, potentially performing write operations. This could lead to unauthorized code changes or data exposure within private repositories on affected GitHub Enterprise Server instances. The CVSS 4.0 score of 7.2 reflects high impact on confidentiality and integrity with low attack vector (local network or system access) and low complexity.
Mitigation Recommendations
This vulnerability has been fixed in GitHub Enterprise Server versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. Users should upgrade affected GitHub Enterprise Server instances to one of these fixed versions or later to remediate the issue. Patch status is confirmed by the vendor advisory embedded in the description. No additional mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_P
- Date Reserved
- 2026-04-08T18:28:58.486Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e85dc119fe3cd2cd7080a1
Added to database: 4/22/2026, 5:33:53 AM
Last enriched: 4/29/2026, 11:13:35 AM
Last updated: 6/6/2026, 3:32:36 AM
Views: 118
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.