Back to overview

CVE-2026-9132

MEDIUM
6.0
CVSS 4.0
Description
A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The Copilot pull request description diff summary endpoint accepted a cross-repository comparison range and rendered the resulting diff without verifying that the requesting user was authorized to view the target repository. Exploitation required an authenticated account on the instance with read access to at least one repository to use as the comparison base. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. This vulnerability was reported via the GitHub Bug Bounty program.

Metadata

CVE ID
CVE-2026-9132
State
PUBLISHED
Assigner
GitHub_P
Reserved
2026-05-20 18:18 UTC
Published
2026-06-30 20:23 UTC
Last updated
2026-06-30 20:23 UTC
Primary CWE
CWE-862
CWE-862 Missing Authorization
Vendor / Product
GitHub / Enterprise Server
Sources
cve.org  ·  NVD

Severity & Metrics

6.0 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
GitHub Enterprise Server 3.17.0 ≤ 3.17.16, 3.18.0 ≤ 3.18.10, 3.19.0 ≤ 3.19.7, 3.20.0 ≤ 3.20.3
Weakness (CWE)
CWESourceDescription
CWE-862 cna CWE-862 Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.0 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Back to overview