PT-2026-20504 · Github · Github Enterprise Server
Ahacker1
+1
·
Published
2026-02-18
·
Updated
2026-02-19
·
CVE-2026-1999
CVSS v4.0
7.2
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:L/SA:L |
Name of the Vulnerable Software and Affected Versions
GitHub Enterprise Server versions prior to 3.17.11
GitHub Enterprise Server versions prior to 3.18.5
GitHub Enterprise Server versions prior to 3.19.2
Description
An authorization flaw exists in GitHub Enterprise Server that could allow an attacker to merge a pull request into a repository without necessary push permissions. This is due to an authorization bypass in the
enable auto merge mutation for pull requests. The issue requires the target repository to allow forking and relies on opening a pull request from a fork controlled by the attacker. Successful exploitation is limited to pull requests with a clean status and branches lacking branch protection rules.Recommendations
Update GitHub Enterprise Server to version 3.17.11 or later.
Update GitHub Enterprise Server to version 3.18.5 or later.
Update GitHub Enterprise Server to version 3.19.2 or later.
Fix
Incorrect Authorization
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Github Enterprise Server