Back to overview

CVE-2026-15783

MEDIUM
5.3
CVSS 4.0
Description
A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with write access to any repository to read metadata from private repositories they did not have access to, including private repository owners and names, branch names, commit SHAs, commit messages, and the pushing actor. The delegated bypass endpoint resolved a rule suite directly from an attacker-supplied, encoded identifier without verifying that the requesting user could read the rule suite's repository, and because these identifiers are sequential an attacker could enumerate them across the instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. This vulnerability was reported via the GitHub Bug Bounty program.

Metadata

CVE ID
CVE-2026-15783
State
PUBLISHED
Assigner
GitHub_P
Reserved
2026-07-14 19:06 UTC
Published
2026-07-17 15:20 UTC
Last updated
2026-07-17 16:55 UTC
Primary CWE
CWE-862
CWE-862 Missing Authorization
Vendor / Product
GitHub / Enterprise Server
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
GitHub Enterprise Server 3.17.0 ≤ 3.17.17, 3.18.0 ≤ 3.18.11, 3.19.0 ≤ 3.19.8, 3.20.0 ≤ 3.20.4 …
Weakness (CWE)
CWESourceDescription
CWE-862 cna CWE-862 Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Back to overview