Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-3307

CVE-2026-3307: GitHub Enterprise Server Auth Bypass Flaw

CVE-2026-3307 is an authorization bypass vulnerability in GitHub Enterprise Server that lets attackers modify secret scanning settings across repositories. This article covers the technical details, affected versions, and patches.

Published:

CVE-2026-3307 Overview

An authorization bypass vulnerability was identified in GitHub Enterprise Server that allows an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository. The vulnerability stems from improper authorization verification where the system validates permissions against the repository specified in the URL, but applies actions to a different repository specified via the owner_id parameter in the request body.

Critical Impact

Attackers with repository admin privileges can manipulate secret scanning bypass reviewer configurations across repositories they don't have permission to modify, potentially weakening security controls on sensitive repositories.

Affected Products

  • GitHub Enterprise Server versions prior to 3.21
  • GitHub Enterprise Server 3.14.x (prior to 3.14.25)
  • GitHub Enterprise Server 3.15.x (prior to 3.15.20)
  • GitHub Enterprise Server 3.16.x (prior to 3.16.16)
  • GitHub Enterprise Server 3.17.x (prior to 3.17.13)
  • GitHub Enterprise Server 3.18.x (prior to 3.18.7)
  • GitHub Enterprise Server 3.19.x (prior to 3.19.4)
  • GitHub Enterprise Server 3.20.x (prior to 3.20.1)

Discovery Timeline

  • 2026-04-21 - CVE-2026-3307 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-3307

Vulnerability Analysis

This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key. The flaw occurs in the API endpoint responsible for managing secret scanning push protection delegated bypass reviewers. When processing requests, the authorization check validates the user's admin privileges against the repository ID contained in the URL path. However, the actual modification operation uses the owner_id parameter from the request body, creating a mismatch between the authorized and affected resources.

The network-accessible attack vector requires low privileges (repository admin access on at least one repository) and no user interaction. While the impact on integrity is limited—attackers can only assign existing trusted users as bypass reviewers rather than adding arbitrary external users—this still represents a significant security boundary violation that could be leveraged to weaken secret scanning protections on critical repositories.

Root Cause

The root cause is an Insecure Direct Object Reference (IDOR) vulnerability where the application fails to verify that the owner_id parameter in the request body corresponds to the same repository that was authorized in the URL path. This disconnect between authorization verification and action execution creates a classic authorization bypass scenario where an attacker can manipulate request parameters to affect resources outside their authorized scope.

Attack Vector

The attack is network-based and requires an authenticated user with admin privileges on at least one repository within the GitHub Enterprise Server instance. The attacker crafts a malicious API request targeting a repository they have admin access to, but includes a different repository's identifier in the owner_id parameter of the request body. Since authorization only checks the URL-specified repository, the attacker can modify the bypass reviewer list of the target repository without proper authorization.

The vulnerability allows an attacker to assign existing trusted users as bypass reviewers on repositories they don't administer. This could be exploited to either add bypass reviewers (potentially allowing unauthorized users to bypass secret scanning) or to manipulate the security workflow of critical repositories.

Detection Methods for CVE-2026-3307

Indicators of Compromise

  • Audit log entries showing modifications to secret scanning bypass reviewer lists where the acting user is not an admin of the affected repository
  • API requests to secret scanning configuration endpoints where the URL repository ID differs from the owner_id in the request body
  • Unexpected changes to bypass reviewer configurations across multiple repositories from a single user account

Detection Strategies

  • Implement monitoring for GitHub Enterprise Server audit logs specifically tracking changes to secret scanning push protection settings
  • Create alerts for API requests where discrepancies exist between URL path parameters and request body identifiers
  • Review repository security configurations periodically to identify unauthorized changes to bypass reviewer lists

Monitoring Recommendations

  • Enable verbose API logging on GitHub Enterprise Server to capture full request bodies for security-sensitive endpoints
  • Deploy network-level monitoring to inspect API traffic for parameter manipulation patterns
  • Establish baseline configurations for bypass reviewer settings and alert on deviations

How to Mitigate CVE-2026-3307

Immediate Actions Required

  • Upgrade GitHub Enterprise Server to a patched version immediately: 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, or 3.20.1
  • Audit existing bypass reviewer configurations across all repositories to identify any unauthorized modifications
  • Review audit logs for suspicious API activity targeting secret scanning configuration endpoints
  • Temporarily restrict API access to secret scanning configuration endpoints if unable to patch immediately

Patch Information

GitHub has released security patches addressing this vulnerability across all supported version branches. Organizations should upgrade to the following fixed versions based on their current deployment:

  • Version 3.14.x: Upgrade to 3.14.25
  • Version 3.15.x: Upgrade to 3.15.20
  • Version 3.16.x: Upgrade to 3.16.16
  • Version 3.17.x: Upgrade to 3.17.13
  • Version 3.18.x: Upgrade to 3.18.7
  • Version 3.19.x: Upgrade to 3.19.4
  • Version 3.20.x: Upgrade to 3.20.1

This vulnerability was reported via the GitHub Bug Bounty program.

Workarounds

  • Restrict repository admin privileges to only essential personnel until patching is complete
  • Implement network-level access controls to limit API endpoint access to trusted IP ranges
  • Enable enhanced audit logging and actively monitor for parameter manipulation attempts
  • Consider temporarily disabling API access to secret scanning configuration endpoints if the feature is not actively used
bash
# Verify your GitHub Enterprise Server version
ghe-version

# Check current bypass reviewer configurations across repositories
ghe-config --get app.github.secret-scanning-bypass-reviewers

# Review audit logs for secret scanning configuration changes
ghe-support-bundle -c security -o /tmp/security-audit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne