CVE-2026-5845 — CRITICAL (9.6)

Q: How severe is CVE-2026-5845?

CVE-2026-5845 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2026-5845?

Check the references section above for vendor advisories and patch information. Affected products include: Github Enterprise Server.

Vulnerability Description

An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS Score

9.6

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Github	Enterprise Server	< 3.14.26

Related Weaknesses (CWE)

CWE-639

References

https://docs.github.com/en/[email protected]/admin/release-notes#3.14.26Release NotesVendor Advisory
https://docs.github.com/en/[email protected]/admin/release-notes#3.15.21Release NotesVendor Advisory
https://docs.github.com/en/[email protected]/admin/release-notes#3.16.17Release NotesVendor Advisory
https://docs.github.com/en/[email protected]/admin/release-notes#3.17.14Release NotesVendor Advisory
https://docs.github.com/en/[email protected]/admin/release-notes#3.18.8Release NotesVendor Advisory
https://docs.github.com/en/[email protected]/admin/release-notes#3.19.5Release NotesVendor Advisory
https://docs.github.com/en/[email protected]/admin/release-notes#3.20.1Release NotesVendor Advisory

FAQ

What is CVE-2026-5845?

CVE-2026-5845 is a vulnerability with a CVSS score of 9.6 (CRITICAL). An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the inte...

How severe is CVE-2026-5845?

CVE-2026-5845 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-5845?

Check the references section above for vendor advisories and patch information. Affected products include: Github Enterprise Server.