PT-2026-53989 · Github · Github Enterprise Server

Seokchan Yoon

·

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-9132

CVSS v4.0

6.0

Medium

VectorAV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.21
Description An authenticated user can read source code from private repositories they are not authorized to access. The issue occurs because the Copilot pull request description diff summary endpoint accepts a cross-repository comparison range and renders the diff without verifying the requesting user's authorization for the target repository. Exploitation requires an authenticated account on the instance with read access to at least one repository to serve as the comparison base.
Recommendations Update to version 3.17.17 Update to version 3.18.11 Update to version 3.19.8 Update to version 3.20.4

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9132

Affected Products

Github Enterprise Server