Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.6
GitHub Enterprise Server Leaks Sensitive Tokens Through Redirects
CVE-2026-0573
Summary
A security flaw in GitHub Enterprise Server allows attackers to steal sensitive login tokens when users visit a malicious website. This vulnerability affects all versions of GitHub Enterprise Server up to 3.19 and can be fixed by updating to version 3.19.2 or later. If you're using an affected version, we recommend updating as soon as possible to prevent potential security risks.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github | enterprise_server | <= 3.14.22 | – |
| github | enterprise_server | > 3.15.0 , <= 3.15.17 | – |
| github | enterprise_server | > 3.16.0 , <= 3.16.13 | – |
| github | enterprise_server | > 3.17.0 , <= 3.17.10 | – |
| github | enterprise_server | > 3.18.0 , <= 3.18.4 | – |
| github | enterprise_server | > 3.19.0 , <= 3.19.2 | – |
Original title
An URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive authorization tokens. The repository_pages API insecurely fo...
Original description
An URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive authorization tokens. The repository_pages API insecurely followed HTTP redirects when fetching artifact URLs, preserving the authorization header containing a privileged JWT. An authenticated user could redirect these requests to an attacker-controlled domain, exfiltrate the Actions.ManageOrgs JWT, and leverage it for potential remote code execution. Attackers would require access to the target GitHub Enterprise Server instance and the ability to exploit a legacy redirect to an attacker-controlled domain. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19 and was fixed in versions 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, and 3.14.22. This vulnerability was reported via the GitHub Bug Bounty program.
nvd CVSS3.1
9.0
nvd CVSS4.0
7.6
Vulnerability type
CWE-601
Open Redirect
- https://docs.github.com/en/[email protected]/admin/release-notes#3.14.22 Product Release Notes
- https://docs.github.com/en/[email protected]/admin/release-notes#3.15.17 Product Release Notes
- https://docs.github.com/en/[email protected]/admin/release-notes#3.16.13 Product Release Notes
- https://docs.github.com/en/[email protected]/admin/release-notes#3.17.10 Product Release Notes
- https://docs.github.com/en/[email protected]/admin/release-notes#3.18.4 Product Release Notes
- https://docs.github.com/en/[email protected]/admin/release-notes#3.19.2 Product Release Notes
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026