PT-2026-53988 · Github · Github Enterprise Server

Vaibhav Singh

·

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-9106

CVSS v4.0

4.8

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.22
Description A UI misrepresentation issue allows an OAuth application to obtain unauthorized access to organization runner management. An attacker can exploit this by creating an OAuth application that requests the manage runners:org scope and tricking a user into authorizing it, because this specific scope is not displayed on the authorization consent screen.
Recommendations Update to version 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, or 3.16.20.

Fix

UI Misrepresentation of Critical Information

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9106

Affected Products

Github Enterprise Server