Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
GitHub Enterprise Server allows unauthorized access to private code
CVE-2026-3582
Summary
Authenticated users with access to private repositories can access sensitive data through GitHub Enterprise Server's search API, even if they don't have permission to view it. This can happen if they have a certain type of access token. To fix this, update to GitHub Enterprise Server version 3.20 or later, or apply the patches for versions 3.16, 3.17, 3.18, and 3.19.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github | enterprise_server | <= 3.16.15 | – |
| github | enterprise_server | > 3.17.0 , <= 3.17.12 | – |
| github | enterprise_server | > 3.18.0 , <= 3.18.6 | – |
| github | enterprise_server | > 3.19.0 , <= 3.19.3 | – |
Original title
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve ...
Original description
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user must have had existing access to the repository through organization membership or as a collaborator for the vulnerability to be exploitable. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.16.15, 3.17.12, 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.
nvd CVSS4.0
5.3
Vulnerability type
CWE-862
Missing Authorization
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026