Auth bypass in Github Enterprise Server
CVE-2026-3306
An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When addin…
Vulnerability class: IDOR (Insecure Direct Object Reference)
EPSS: 0.000 (9.0th percentile) — read the EPSS interpretation.
Affected products
- Github Enterprise Server — versions 3.14.0, 3.15.0, 3.16.0
Weakness classification (CWE)
References
- docs.github.com/en/enterprise-server@3.14/admin/release-notes
- docs.github.com/en/enterprise-server@3.15/admin/release-notes
- docs.github.com/en/enterprise-server@3.16/admin/release-notes
- docs.github.com/en/enterprise-server@3.17/admin/release-notes
- docs.github.com/en/enterprise-server@3.18/admin/release-notes
- docs.github.com/en/enterprise-server@3.19/admin/release-notes