CVE-2026-3582

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.20 GitHub Enterprise Server versions 3.16.15 through 3.16.15 GitHub Enterprise Server versions 3.17.12 through 3.17.12 GitHub Enterprise Server versions 3.18.6 through 3.18.6 GitHub Enterprise Server versions 3.19.3 through 3.19.3

Description An incorrect authorization issue was identified in GitHub Enterprise Server. An authenticated user with a classic personal access token (PAT) that does not have the repo scope could retrieve issues and commits from private and internal repositories. This was possible through the search REST API endpoints. The user needed existing access to the repository through organization membership or as a collaborator for exploitation to occur. The affected API endpoints are the search REST API. The vulnerable variable is the classic personal access token (PAT).

Recommendations Update GitHub Enterprise Server to version 3.20 or later. Update GitHub Enterprise Server to version 3.16.15. Update GitHub Enterprise Server to version 3.17.12. Update GitHub Enterprise Server to version 3.18.6. Update GitHub Enterprise Server to version 3.19.3.