Improper authorization fallback allows scoped user-to-server token installation escape in GitHub Enterprise Server
Summary
| CVE | CVE-2026-5845 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_P |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-21 23:16:22 UTC |
| Updated | 2026-04-22 21:23:52 UTC |
| Description | An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program. |
Risk And Classification
Primary CVSS: v4.0 7.2 HIGH from [email protected]
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000130000 probability, percentile 0.021240000 (date 2026-04-22)
Problem Types: CWE-639 | CWE-639 CWE-639 Authorization bypass through User-Controlled key
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 7.2 | HIGH | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 7.2 | HIGH | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N |
CVSS v4.0 Breakdown
Attack Vector
LocalAttack Complexity
LowAttack Requirements
PresentPrivileges Required
LowUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
NoneSub Conf.
LowSub Integrity
LowSub Availability
NoneCVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | GitHub | Enterprise Server | affected 3.20.0 3.20.1 semver | Not specified |
| CNA | GitHub | Enterprise Server | affected 3.19.0 3.19.4 semver | Not specified |
| CNA | GitHub | Enterprise Server | affected 3.18.0 3.18.7 semver | Not specified |
| CNA | GitHub | Enterprise Server | affected 3.17.0 3.17.13 semver | Not specified |
| CNA | GitHub | Enterprise Server | affected 3.16.0 3.16.16 semver | Not specified |
| CNA | GitHub | Enterprise Server | affected 3.15.0 3.15.20 semver | Not specified |
| CNA | GitHub | Enterprise Server | affected 3.14.0 3.14.25 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| docs.github.com/en/[email protected]/admin/release-notes | [email protected] | docs.github.com | |
| docs.github.com/en/[email protected]/admin/release-notes | [email protected] | docs.github.com | |
| docs.github.com/en/[email protected]/admin/release-notes | [email protected] | docs.github.com | |
| docs.github.com/en/[email protected]/admin/release-notes | [email protected] | docs.github.com | |
| docs.github.com/en/[email protected]/admin/release-notes | [email protected] | docs.github.com | |
| docs.github.com/en/[email protected]/admin/release-notes | [email protected] | docs.github.com | |
| docs.github.com/en/[email protected]/admin/release-notes | [email protected] | docs.github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: ahacker1 (en)
There are currently no legacy QID mappings associated with this CVE.