PT-2026-53989 · Github · Github Enterprise Server
Seokchan Yoon
·
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-9132
CVSS v4.0
6.0
Medium
| Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
GitHub Enterprise Server versions prior to 3.21
Description
An authenticated user can read source code from private repositories they are not authorized to access. The issue occurs because the Copilot pull request description diff summary endpoint accepts a cross-repository comparison range and renders the diff without verifying the requesting user's authorization for the target repository. Exploitation requires an authenticated account on the instance with read access to at least one repository to serve as the comparison base.
Recommendations
Update to version 3.17.17
Update to version 3.18.11
Update to version 3.19.8
Update to version 3.20.4
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github Enterprise Server