Cyber Resilience

CVE-2026-5845

High

Published: 21 April 2026

Published
21 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 7.2 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0023 13.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5845 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Github Enterprise Server. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5845 is an improper authorization vulnerability (CWE-639) in the scoped user-to-server (ghu_) token authorization mechanism of GitHub Enterprise Server. It affects all versions prior to 3.21, stemming from an authorization fallback that incorrectly treats a revoked or deleted installation as a global installation context. This flaw enables authenticated attackers to bypass intended scoping restrictions on private repositories.

An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By chaining the fallback behavior with token revocation timing and SSH push attribution, the attacker can obtain and reuse a victim-scoped token, gaining unauthorized access to private repositories outside the intended installation scope, including write operations. The CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) reflects high confidentiality and integrity impacts with scope change.

GitHub addressed the vulnerability in maintenance releases including versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26, with details available in the corresponding Enterprise Server release notes. Administrators should upgrade to one of these patched versions to mitigate the issue. The vulnerability was reported through the GitHub Bug Bounty program.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted…

more

installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.003 Code Repositories Collection
Adversaries may leverage code repositories to collect valuable information.
Why these techniques?

The improper authorization flaw in GitHub Enterprise Server directly enables exploitation of a public-facing application to bypass token scoping restrictions, facilitating unauthorized access to private code repositories.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0573Same product: Github Enterprise Server
CVE-2026-3854Same product: Github Enterprise Server
CVE-2026-5921Same product: Github Enterprise Server
CVE-2024-10001Same product: Github Enterprise Server
CVE-2025-23369Same product: Github Enterprise Server
CVE-2026-41471Shared CWE-639
CVE-2023-36331Shared CWE-639
CVE-2026-33297Shared CWE-639
CVE-2026-41084Shared CWE-639
CVE-2024-50685Shared CWE-639

Affected Assets

github
enterprise server
3.20.0 · ≤ 3.14.26 · 3.15.0 — 3.15.21 · 3.16.0 — 3.16.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to resources, directly countering the improper fallback logic that allows access to private repositories outside the intended installation scope.

prevent

Requires timely identification, reporting, and correction of flaws, enabling patching to the fixed GitHub Enterprise Server versions that resolve the authorization vulnerability.

prevent

Manages authenticators such as ghu_ tokens including proper revocation procedures, mitigating exploitation chains involving token revocation timing.

References