Auth bypass in Github Enterprise Server
CVE-2026-3582
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and intern…
Vulnerability class: Broken Access Control
EPSS: 0.000 (7.8th percentile) — read the EPSS interpretation.
Affected products
- Github Enterprise Server — versions 3.16.0, 3.17.0, 3.18.0