PT-2026-34209 · Github · Github Enterprise Server

Ahacker1

Published

2026-04-21

Updated

2026-04-26

CVE-2026-4296

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.21

Description An incorrect regular expression allows an attacker to bypass OAuth redirect URI validation. An attacker aware of a first-party OAuth application's registered callback URL can create a malicious authorization link. If a victim clicks this link, the OAuth authorization code is redirected to a domain controlled by the attacker, potentially granting unauthorized access to the victim's account based on the scopes granted to the OAuth application.

Recommendations Update to version 3.20.1 Update to version 3.19.5 Update to version 3.18.8 Update to version 3.17.14 Update to version 3.16.17 Update to version 3.15.21 Update to version 3.14.26

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-185

Related Identifiers

CVE-2026-4296

Affected Products

Github Enterprise Server

PT-2026-34209 · Github · Github Enterprise Server

CVE-2026-4296

Weakness Enumeration

Related Identifiers

Affected Products

References · 10