UI misrepresentation vulnerability in GitHub Enterprise Server allowed unauthorized organization runner management via undisclosed OAuth scope on consent screen
Summary
| CVE | CVE-2026-9106 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_P |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-30 21:16:30 UTC |
| Updated | 2026-07-02 15:41:11 UTC |
| Description | A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program. |
Risk And Classification
Primary CVSS: v4.0 4.8 MEDIUM from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.001760000 probability, percentile 0.073410000 (date 2026-07-04)
Problem Types: CWE-451 | CWE-451 CWE-451: User Interface (UI) Misrepresentation of Critical Information
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 4.8 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 4.8 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Primary | 5.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
LowUser Interaction
ActiveConfidentiality
LowIntegrity
LowAvailability
LowSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
RequiredScope
UnchangedConfidentiality
LowIntegrity
LowAvailability
LowCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Github | Enterprise Server | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | GitHub | Enterprise Server | affected 3.17.0 3.17.16 semver | Not specified |
| CNA | GitHub | Enterprise Server | affected 3.18.0 3.18.10 semver | Not specified |
| CNA | GitHub | Enterprise Server | affected 3.19.0 3.19.7 semver | Not specified |
| CNA | GitHub | Enterprise Server | affected 3.20.0 3.20.3 semver | Not specified |
| CNA | GitHub | Enterprise Server | affected 3.21.0 3.21.1 semver | Not specified |
| CNA | GitHub | Enterprise Server | affected 3.16.0 3.16.19 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| docs.github.com/en/[email protected]/admin/release-notes | [email protected] | docs.github.com | Release Notes |
| docs.github.com/en/[email protected]/admin/release-notes | [email protected] | docs.github.com | Release Notes |
| docs.github.com/en/[email protected]/admin/release-notes | [email protected] | docs.github.com | Release Notes |
| docs.github.com/en/[email protected]/admin/release-notes | [email protected] | docs.github.com | Release Notes |
| docs.github.com/en/[email protected]/admin/release-notes | [email protected] | docs.github.com | Release Notes |
| docs.github.com/en/[email protected]/admin/release-notes | [email protected] | docs.github.com | Release Notes |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: VAIBHAV SINGH (@vaib25vicky) (en)
There are currently no legacy QID mappings associated with this CVE.