CVE-2026-1999

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.17.11 GitHub Enterprise Server versions prior to 3.18.5 GitHub Enterprise Server versions prior to 3.19.2

Description An authorization flaw exists in GitHub Enterprise Server that could allow an attacker to merge a pull request into a repository without necessary push permissions. This is due to an authorization bypass in the enable auto merge mutation for pull requests. The issue requires the target repository to allow forking and relies on opening a pull request from a fork controlled by the attacker. Successful exploitation is limited to pull requests with a clean status and branches lacking branch protection rules.

Recommendations Update GitHub Enterprise Server to version 3.17.11 or later. Update GitHub Enterprise Server to version 3.18.5 or later. Update GitHub Enterprise Server to version 3.19.2 or later.