CVE-2026-5845 Overview
An improper authorization vulnerability exists in the scoped user-to-server (ghu_) token authorization mechanism in GitHub Enterprise Server. This security flaw allows an authenticated attacker to access private repositories outside the intended installation scope, potentially including write operations. The vulnerability stems from an authorization fallback that incorrectly treated a revoked or deleted installation as a global installation context. Attackers could chain this with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token.
Critical Impact
Authenticated attackers can gain unauthorized access to private repositories, including write capabilities, by exploiting the improper authorization fallback mechanism in scoped token validation.
Affected Products
- GitHub Enterprise Server versions prior to 3.21
- GitHub Enterprise Server versions prior to 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-5845 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-5845
Vulnerability Analysis
This vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), indicating a fundamental flaw in how GitHub Enterprise Server validates the scope and permissions of user-to-server tokens. The improper authorization occurs during the token validation process when an installation associated with a scoped token is revoked or deleted.
When a GitHub App installation is removed or revoked, the authorization system should invalidate all associated ghu_ tokens. However, due to a logic flaw in the fallback mechanism, the system instead treats these tokens as having global installation context. This effectively elevates the token's permissions beyond its original intended scope, granting access to private repositories the token holder should not be able to access.
The attack requires the attacker to already be authenticated to the GitHub Enterprise Server instance, but once authenticated, they can exploit the timing window around token revocation to maintain or escalate their access. The combination with SSH push attribution further complicates detection, as malicious repository operations may be attributed to the original token owner rather than the attacker.
Root Cause
The root cause lies in the authorization fallback logic within GitHub Enterprise Server's token validation system. When checking the validity of a scoped ghu_ token, the system performs a lookup against the associated GitHub App installation. If the installation record is not found (due to deletion or revocation), instead of denying access, the fallback code path incorrectly assumes a global installation context. This design flaw transforms what should be an access denial into an implicit privilege escalation.
Attack Vector
The attack requires local access with low privileges but involves precise timing. An authenticated attacker can exploit this vulnerability through the following mechanism:
- The attacker obtains or intercepts a valid scoped ghu_ token associated with a specific GitHub App installation
- The attacker monitors for or triggers the revocation/deletion of the associated installation
- During the timing window when the installation is removed but the token has not been fully invalidated, the attacker uses the token
- The fallback authorization logic grants the token global context instead of denying access
- The attacker can now access private repositories outside the original scope, including performing write operations
The vulnerability can be chained with SSH push attribution, allowing the attacker to attribute their malicious actions to the victim whose token was compromised, further obscuring the attack trail.
Detection Methods for CVE-2026-5845
Indicators of Compromise
- Unusual access patterns from ghu_ tokens accessing repositories outside their normal scope
- Repository access or write operations occurring shortly after GitHub App installation revocations
- SSH push operations with mismatched attribution compared to API token authentication patterns
- Access to private repositories from tokens associated with deleted or revoked installations
Detection Strategies
- Monitor GitHub Enterprise Server audit logs for repository access events correlated with recent installation deletions
- Implement alerting on ghu_ token usage patterns that show access to repositories not originally scoped to the token's installation
- Review SSH push attribution logs for inconsistencies between committer identity and token owner
- Deploy behavioral analytics to identify tokens exhibiting sudden scope expansion after installation changes
Monitoring Recommendations
- Enable comprehensive audit logging for all token authentication events on GitHub Enterprise Server
- Configure alerts for installation deletion events followed by continued token usage within a defined timing window
- Implement real-time monitoring of private repository access patterns to detect scope violations
- Regularly review and correlate installation lifecycle events with associated token activity
How to Mitigate CVE-2026-5845
Immediate Actions Required
- Upgrade GitHub Enterprise Server to the patched versions: 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, or 3.14.26
- Audit all existing ghu_ tokens for suspicious access patterns in enterprise logs
- Review recent GitHub App installation deletions and correlate with repository access events
- Invalidate and regenerate tokens for any GitHub Apps where installations were recently revoked
Patch Information
GitHub has released security patches addressing this vulnerability across multiple supported versions of GitHub Enterprise Server. Organizations should upgrade to the following patched versions based on their current deployment:
| Current Version Branch | Patched Version |
|---|---|
| 3.20.x | 3.20.1 |
| 3.19.x | 3.19.5 |
| 3.18.x | 3.18.8 |
| 3.17.x | 3.17.14 |
| 3.16.x | 3.16.17 |
| 3.15.x | 3.15.21 |
| 3.14.x | 3.14.26 |
This vulnerability was reported via the GitHub Bug Bounty program.
Workarounds
- Implement strict network segmentation to limit lateral movement if token compromise occurs
- Enforce multi-factor authentication for all GitHub Enterprise Server users to reduce initial token theft risk
- Establish procedures to immediately invalidate all associated tokens when revoking GitHub App installations
- Consider implementing additional authorization checks at the repository level independent of token scoping
# Review GitHub Enterprise Server version and plan upgrade
ghe-version
# Check audit logs for suspicious ghu_ token activity
ghe-es-search 'actor_type:user AND action:repo.access' --since 7d
# Review installation deletion events
ghe-es-search 'action:integration_installation.destroy' --since 30d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
