Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-4296

CVE-2026-4296: GitHub Enterprise Server Auth Bypass Flaw

CVE-2026-4296 is an authentication bypass vulnerability in GitHub Enterprise Server that exploits OAuth redirect URI validation. Attackers can gain unauthorized account access. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-4296 Overview

An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allows attackers to bypass OAuth redirect URI validation. This authentication bypass flaw enables an attacker with knowledge of a first-party OAuth application's registered callback URL to craft malicious authorization links that redirect OAuth authorization codes to attacker-controlled domains, potentially granting unauthorized access to victim accounts.

Critical Impact

Attackers can steal OAuth authorization codes and gain unauthorized access to victim accounts with all scopes granted to the compromised OAuth application. This could lead to repository access, organization data exposure, and lateral movement within enterprise environments.

Affected Products

  • GitHub Enterprise Server versions prior to 3.21
  • GitHub Enterprise Server versions prior to 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26
  • All GitHub Enterprise Server installations with OAuth applications configured

Discovery Timeline

  • 2026-04-21 - CVE-2026-4296 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-4296

Vulnerability Analysis

This vulnerability is classified under CWE-185 (Incorrect Regular Expression), which indicates a flaw in pattern matching logic used for security-critical validation. The OAuth 2.0 authorization flow relies on strict redirect URI validation to ensure authorization codes are only sent to legitimate, pre-registered callback URLs. In this case, the regular expression used to validate redirect URIs contains a logical flaw that allows specially crafted URIs to pass validation while actually redirecting to attacker-controlled domains.

The attack requires user interaction—a victim must click a malicious authorization link—but once clicked, the OAuth flow proceeds normally from the user's perspective while the authorization code is silently exfiltrated to the attacker's server.

Root Cause

The vulnerability stems from an incorrectly implemented regular expression in the OAuth redirect URI validation logic within GitHub Enterprise Server. Regular expression flaws in URI validation commonly occur due to improper escaping of special characters (such as dots or forward slashes), inadequate anchoring of patterns, or failure to account for URI encoding variations. This allows attackers to construct URIs that appear to match the registered callback URL pattern but actually resolve to different domains.

Attack Vector

The attack is network-based and requires low privileges (an attacker must know the registered callback URL of a first-party OAuth application). The attacker crafts a malicious OAuth authorization URL that exploits the regex validation flaw, causing the redirect URI parameter to pass validation while actually pointing to an attacker-controlled server. When a victim clicks the link, they are presented with a legitimate-looking GitHub authorization prompt. Upon approval, the authorization code is sent to the attacker's domain instead of the legitimate application.

The attacker can then exchange this authorization code for an access token, gaining full access to the victim's account within the scope of the OAuth application's permissions.

Detection Methods for CVE-2026-4296

Indicators of Compromise

  • Unusual OAuth authorization requests with redirect URIs containing suspicious domain variations or encoded characters
  • OAuth access token grants to applications followed by immediate API access from unexpected IP addresses or geographic locations
  • User reports of authorization prompts for applications they regularly use appearing unexpectedly
  • Log entries showing OAuth callbacks being redirected to domains that closely resemble but differ from registered callback URLs

Detection Strategies

  • Implement monitoring for OAuth authorization flows with regex pattern analysis on redirect URI parameters to detect potential bypass attempts
  • Review GitHub Enterprise Server audit logs for OAuth token issuance events, correlating them with subsequent API activity patterns
  • Deploy web application firewall (WAF) rules to detect and block authorization requests with anomalous redirect URI structures
  • Enable detailed logging of OAuth authentication flows and establish baselines for normal authorization patterns

Monitoring Recommendations

  • Monitor GitHub Enterprise Server access logs for OAuth authorization endpoints with particular attention to redirect_uri parameters
  • Set up alerts for OAuth applications receiving authorization grants from unusual user populations or at abnormal times
  • Review and audit all registered OAuth application callback URLs to ensure they follow strict URL patterns
  • Implement session monitoring to detect access token usage patterns inconsistent with normal application behavior

How to Mitigate CVE-2026-4296

Immediate Actions Required

  • Upgrade GitHub Enterprise Server to a patched version immediately: 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, or 3.14.26
  • Review OAuth application registrations and audit all registered callback URLs for potential exposure
  • Consider temporarily disabling OAuth applications that grant high-privilege scopes until patching is complete
  • Notify users to be cautious of unexpected OAuth authorization prompts and to report suspicious activity

Patch Information

GitHub has released security patches across multiple supported release branches. Organizations should upgrade to the appropriate patched version based on their current deployment:

  • Version 3.20.x: Upgrade to 3.20.1
  • Version 3.19.x: Upgrade to 3.19.5
  • Version 3.18.x: Upgrade to 3.18.8
  • Version 3.17.x: Upgrade to 3.17.14
  • Version 3.16.x: Upgrade to 3.16.17
  • Version 3.15.x: Upgrade to 3.15.21
  • Version 3.14.x: Upgrade to 3.14.26

This vulnerability was reported via the GitHub Bug Bounty program.

Workarounds

  • Restrict OAuth application permissions to the minimum required scopes until patches can be applied
  • Implement network-level monitoring to detect and block OAuth callbacks to suspicious or newly registered domains
  • Use web application firewall rules to validate redirect URI parameters against strict allowlists
  • Consider temporarily disabling first-party OAuth applications that provide access to sensitive resources
bash
# Configuration example
# Review registered OAuth applications and their callback URLs
# Access: Site admin → OAuth applications
# For each application, verify the callback URL is correctly formatted
# and does not allow wildcard or partial matching patterns

# Check current GitHub Enterprise Server version
ghe-version

# Apply the security update (example for upgrading to 3.20.1)
ghe-upgrade github-enterprise-3.20.1.pkg

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne