CVE-2026-9132: CWE-862 Missing Authorization in GitHub Enterprise Server
CVE-2026-9132 is a missing authorization vulnerability in GitHub Enterprise Server that allowed authenticated users with read access to at least one repository to read source code from private repositories they were not authorized to access. The issue was in the Copilot pull request description diff summary endpoint, which accepted a cross-repository comparison range and rendered diffs without verifying user authorization for the target repository. This vulnerability affected specific versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. It was reported through the GitHub Bug Bounty program.
AI Analysis
Technical Summary
A missing authorization vulnerability (CWE-862) in GitHub Enterprise Server's Copilot pull request description diff summary endpoint allowed an authenticated user with read access to at least one repository to read source code from private repositories they did not have permission to access. The endpoint accepted a cross-repository comparison range and rendered the diff without verifying authorization on the target repository. This affected versions 3.17.0, 3.18.0, 3.19.0, and 3.20.0 and was fixed in patch releases 3.17.17, 3.18.11, 3.19.8, and 3.20.4. The vulnerability has a CVSS 4.0 score of 6.0 (medium severity).
Potential Impact
An authenticated user with read access to at least one repository on the affected GitHub Enterprise Server instance could read source code from private repositories they were not authorized to access. This unauthorized disclosure of source code could lead to exposure of sensitive intellectual property or confidential information.
Mitigation Recommendations
Fixes are available in GitHub Enterprise Server versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. Users should upgrade affected installations to one of these fixed versions or later. Patch status is confirmed by the vendor advisory. No other mitigations are specified.
CVE-2026-9132: CWE-862 Missing Authorization in GitHub Enterprise Server
Description
CVE-2026-9132 is a missing authorization vulnerability in GitHub Enterprise Server that allowed authenticated users with read access to at least one repository to read source code from private repositories they were not authorized to access. The issue was in the Copilot pull request description diff summary endpoint, which accepted a cross-repository comparison range and rendered diffs without verifying user authorization for the target repository. This vulnerability affected specific versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. It was reported through the GitHub Bug Bounty program.
CVSS v4.0
Score 6.0medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
A missing authorization vulnerability (CWE-862) in GitHub Enterprise Server's Copilot pull request description diff summary endpoint allowed an authenticated user with read access to at least one repository to read source code from private repositories they did not have permission to access. The endpoint accepted a cross-repository comparison range and rendered the diff without verifying authorization on the target repository. This affected versions 3.17.0, 3.18.0, 3.19.0, and 3.20.0 and was fixed in patch releases 3.17.17, 3.18.11, 3.19.8, and 3.20.4. The vulnerability has a CVSS 4.0 score of 6.0 (medium severity).
Potential Impact
An authenticated user with read access to at least one repository on the affected GitHub Enterprise Server instance could read source code from private repositories they were not authorized to access. This unauthorized disclosure of source code could lead to exposure of sensitive intellectual property or confidential information.
Mitigation Recommendations
Fixes are available in GitHub Enterprise Server versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. Users should upgrade affected installations to one of these fixed versions or later. Patch status is confirmed by the vendor advisory. No other mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_P
- Date Reserved
- 2026-05-20T18:18:07.930Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a442fed27e9c7971964744d
Added to database: 06/30/2026, 21:06:53 UTC
Last enriched: 06/30/2026, 21:21:40 UTC
Last updated: 06/30/2026, 21:48:16 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.