CVE-2026-3307 — LOW (2.7) — White Hats Nepal

Q: How severe is CVE-2026-3307?

CVE-2026-3307 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-3307?

Check the references section above for vendor advisories and patch information. Affected products include: Github Enterprise Server.

Vulnerability Description

An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers; it does not allow adding arbitrary external users. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS Score

2.7

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Github	Enterprise Server	< 3.14.26

Related Weaknesses (CWE)

CWE-639

References

https://docs.github.com/en/[email protected]/admin/release-notes#3.14.25Release NotesVendor Advisory
https://docs.github.com/en/[email protected]/admin/release-notes#3.15.20Release NotesVendor Advisory
https://docs.github.com/en/[email protected]/admin/release-notes#3.16.16Release NotesVendor Advisory
https://docs.github.com/en/[email protected]/admin/release-notes#3.17.13Release NotesVendor Advisory
https://docs.github.com/en/[email protected]/admin/release-notes#3.18.7Release NotesVendor Advisory
https://docs.github.com/en/[email protected]/admin/release-notes#3.19.4Release NotesVendor Advisory
https://docs.github.com/en/[email protected]/admin/release-notes#3.20.1Release NotesVendor Advisory

FAQ

What is CVE-2026-3307?

CVE-2026-3307 is a vulnerability with a CVSS score of 2.7 (LOW). An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated by...

How severe is CVE-2026-3307?

CVE-2026-3307 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-3307?

Check the references section above for vendor advisories and patch information. Affected products include: Github Enterprise Server.