Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.0
Unauthorized files can be uploaded to another user's GitHub repository
CVE-2026-1355
Summary
A security flaw in older versions of GitHub Enterprise Server allows an attacker with a valid login to upload files to another user's repository, potentially replacing their data with malicious files. This could happen if the attacker has access to the victim's GitHub account. To fix this, update to GitHub Enterprise Server version 3.20 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github | enterprise_server | <= 3.14.23 | – |
| github | enterprise_server | > 3.15.0 , <= 3.15.18 | – |
| github | enterprise_server | > 3.16.0 , <= 3.16.14 | – |
| github | enterprise_server | > 3.17.0 , <= 3.17.11 | – |
| github | enterprise_server | > 3.18.0 , <= 3.18.5 | – |
| github | enterprise_server | > 3.19.0 , <= 3.19.2 | – |
Original title
A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user’s repository migration export due to a missi...
Original description
A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user’s repository migration export due to a missing authorization check in the repository migration upload endpoint. By supplying the migration identifier, an attacker could overwrite or replace a victim’s migration archive, potentially causing victims to download attacker-controlled repository data during migration restores or automated imports. An attacker would require authentication to the victim's GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, 3.14.23. This vulnerability was reported via the GitHub Bug Bounty program.
nvd CVSS3.1
6.5
nvd CVSS4.0
6.0
Vulnerability type
CWE-862
Missing Authorization
- https://docs.github.com/en/[email protected]/admin/release-notes#3.14.23 Product Release Notes
- https://docs.github.com/en/[email protected]/admin/release-notes#3.15.18 Product Release Notes
- https://docs.github.com/en/[email protected]/admin/release-notes#3.16.14 Product Release Notes
- https://docs.github.com/en/[email protected]/admin/release-notes#3.17.11 Product Release Notes
- https://docs.github.com/en/[email protected]/admin/release-notes#3.18.5 Product Release Notes
- https://docs.github.com/en/[email protected]/admin/release-notes#3.19.2 Product Release Notes
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026