CVE-2026-5845

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.21

Description An improper authorization issue exists in scoped user-to-server (ghu ) token authorization. An authenticated attacker can access private repositories outside the intended installation scope, potentially performing write operations. This occurs due to an authorization fallback that treats a revoked or deleted installation as a global installation context, which may be combined with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token.

Recommendations Update to version 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, or 3.14.26.