PT-2026-34196 · Github · Enterprise Server
Ahacker1
·
Published
2026-04-21
·
Updated
2026-04-26
·
CVE-2026-3307
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
GitHub Enterprise Server versions prior to 3.21
Description
An authorization bypass allows an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository. This occurs by manipulating the
owner id parameter in the request body. While authorization is verified against the repository in the URL, the action is applied to the repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers and does not allow the addition of arbitrary external users.Recommendations
Update to version 3.14.25
Update to version 3.15.20
Update to version 3.16.16
Update to version 3.17.13
Update to version 3.18.7
Update to version 3.19.4
Update to version 3.20.1
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Enterprise Server