CVE-2026-5845
Published: 21 April 2026
Summary
CVE-2026-5845 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Github Enterprise Server. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to resources, directly countering the improper fallback logic that allows access to private repositories outside the intended installation scope.
Requires timely identification, reporting, and correction of flaws, enabling patching to the fixed GitHub Enterprise Server versions that resolve the authorization vulnerability.
Manages authenticators such as ghu_ tokens including proper revocation procedures, mitigating exploitation chains involving token revocation timing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The improper authorization flaw in GitHub Enterprise Server directly enables exploitation of a public-facing application to bypass token scoping restrictions, facilitating unauthorized access to private code repositories.
NVD Description
An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted…
more
installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
Deeper analysisAI
CVE-2026-5845 is an improper authorization vulnerability (CWE-639) in the scoped user-to-server (ghu_) token authorization mechanism of GitHub Enterprise Server. It affects all versions prior to 3.21, stemming from an authorization fallback that incorrectly treats a revoked or deleted installation as a global installation context. This flaw enables authenticated attackers to bypass intended scoping restrictions on private repositories.
An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By chaining the fallback behavior with token revocation timing and SSH push attribution, the attacker can obtain and reuse a victim-scoped token, gaining unauthorized access to private repositories outside the intended installation scope, including write operations. The CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) reflects high confidentiality and integrity impacts with scope change.
GitHub addressed the vulnerability in maintenance releases including versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26, with details available in the corresponding Enterprise Server release notes. Administrators should upgrade to one of these patched versions to mitigate the issue. The vulnerability was reported through the GitHub Bug Bounty program.
Details
- CWE(s)