PT-2026-34211 · Github · Github Enterprise Server
Ahacker1
·
Published
2026-04-21
·
Updated
2026-04-26
·
CVE-2026-5512
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
GitHub Enterprise Server versions prior to 3.21
Description
An improper authorization issue exists where an authenticated attacker can determine the names of private repositories using their numeric ID. This occurs because the mobile upload policy API endpoint ''/mobile/upload policy'' fails to perform an early authorization check, resulting in validation error messages that disclose the full repository name for repositories the caller is not authorized to access.
Recommendations
Update to version 3.20.1
Update to version 3.19.5
Update to version 3.18.8
Update to version 3.17.14
Update to version 3.16.17
Update to version 3.15.21
Update to version 3.14.26
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github Enterprise Server