PT-2026-53988 · Github · Github Enterprise Server
Vaibhav Singh
·
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-9106
CVSS v4.0
4.8
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
GitHub Enterprise Server versions prior to 3.22
Description
A UI misrepresentation issue allows an OAuth application to obtain unauthorized access to organization runner management. An attacker can exploit this by creating an OAuth application that requests the
manage runners:org scope and tricking a user into authorizing it, because this specific scope is not displayed on the authorization consent screen.Recommendations
Update to version 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, or 3.16.20.
Fix
UI Misrepresentation of Critical Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github Enterprise Server