CVE-2026-15783 in GitHub
Summary
by MITRE • 07/17/2026
A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with write access to any repository to read metadata from private repositories they did not have access to, including private repository owners and names, branch names, commit SHAs, commit messages, and the pushing actor. The delegated bypass endpoint resolved a rule suite directly from an attacker-supplied, encoded identifier without verifying that the requesting user could read the rule suite's repository, and because these identifiers are sequential an attacker could enumerate them across the instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. This vulnerability was reported via the GitHub Bug Bounty program.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/17/2026
This vulnerability represents a critical authorization flaw in GitHub Enterprise Server that undermines the fundamental security model of private repository isolation. The issue stems from a missing authorization check within the delegated bypass endpoint functionality, where the system fails to validate whether an authenticated user with write permissions to a repository has legitimate read access to the target rule suite metadata. This oversight creates a path for unauthorized information disclosure that directly violates core security principles of least privilege and access control enforcement.
The technical implementation of this vulnerability exploits the sequential nature of repository identifiers within GitHub's architecture, allowing attackers to enumerate rule suite identifiers through brute force techniques. Since these identifiers are predictable and sequentially generated, an authenticated user with write access to any repository can systematically discover and access metadata from private repositories they should not be able to read. This enumeration capability extends to sensitive information including repository owners, names, branch names, commit SHAs, commit messages, and the identity of the pushing actor, effectively creating a comprehensive information leakage mechanism.
The operational impact of this vulnerability is significant for organizations relying on GitHub Enterprise Server for code management and collaboration. Attackers can use this flaw to gather intelligence about private repositories within their instance, potentially identifying sensitive project information, development timelines, commit history patterns, and team structures. This reconnaissance capability could enable more sophisticated attacks such as social engineering, targeted phishing campaigns, or planning of future exploitation attempts against specific repositories or teams. The vulnerability affects all versions prior to 3.22, representing a substantial attack surface across multiple release lines.
This flaw aligns with CWE-862, which describes insufficient authorization checks, and demonstrates how missing access control validation can lead to information disclosure vulnerabilities. The issue also maps to ATT&CK technique T1590, specifically the reconnaissance phase where adversaries gather information about targets. Organizations utilizing GitHub Enterprise Server must implement immediate mitigations including upgrading to patched versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3 as recommended by the vendor. Additionally, administrators should review access controls for repositories and consider implementing additional monitoring for unusual enumeration patterns or metadata access requests that could indicate exploitation attempts.
The vulnerability was responsibly disclosed through GitHub's Bug Bounty program, highlighting the importance of coordinated disclosure in identifying and addressing security flaws within enterprise platforms. This case demonstrates how seemingly minor authorization gaps can create substantial information leakage opportunities, emphasizing the need for comprehensive security testing including authorization validation checks. Organizations should conduct thorough assessments of their GitHub Enterprise Server deployments to identify any additional instances where similar missing authorization patterns might exist, particularly in endpoints that handle repository metadata or rule suite configurations. The remediation process requires not just patching but also validating that all access control mechanisms properly enforce repository-level permissions and prevent cross-repository information leakage regardless of user privileges within the system.