CVE-2026-1355

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.20 GitHub Enterprise Server versions 3.19.2 through 3.19.2 GitHub Enterprise Server versions 3.18.5 through 3.18.5 GitHub Enterprise Server versions 3.17.11 through 3.17.11 GitHub Enterprise Server versions 3.16.14 through 3.16.14 GitHub Enterprise Server versions 3.15.18 through 3.15.18 GitHub Enterprise Server versions 3.14.23 through 3.14.23

Description A missing authorization check exists in the repository migration upload endpoint of GitHub Enterprise Server. An attacker with authentication to the instance can upload unauthorized content to another user’s repository migration export by supplying the migration identifier. This allows overwriting or replacing a victim’s migration archive, potentially leading to the download of attacker-controlled repository data during migration restores or automated imports.

Recommendations Update to GitHub Enterprise Server version 3.20 or later. Update to GitHub Enterprise Server version 3.19.2. Update to GitHub Enterprise Server version 3.18.5. Update to GitHub Enterprise Server version 3.17.11. Update to GitHub Enterprise Server version 3.16.14. Update to GitHub Enterprise Server version 3.15.18. Update to GitHub Enterprise Server version 3.14.23.