CVE-2026-1355

MEDIUM EPSS 30.8%
Published Feb 18, 20264mo ago · Modified Jun 17, 20261w ago
6.0 CVSS 4.0
Medium
Find Similar
Published Feb 18, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user’s repository migration export due to a missing authorization check in the repository migration upload endpoint. By supplying the migration identifier, an attacker could overwrite or replace a victim’s migration archive, potentially causing victims to download attacker-controlled repository data during migration restores or automated imports. An attacker would require authentication to the victim's GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, 3.14.23. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS Details

Base Score
6.0
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
30.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-862 Missing Authorization Authorization

Affected Products 6

VendorProductVersionRange
githubenterprise_server* <3.14.23
githubenterprise_server*≥3.15.0  –  <3.15.18
githubenterprise_server*≥3.16.0  –  <3.16.14
githubenterprise_server*≥3.17.0  –  <3.17.11
githubenterprise_server*≥3.18.0  –  <3.18.5
githubenterprise_server*≥3.19.0  –  <3.19.2

References 6

  • docs.github.com https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.23
    ProductRelease Notes
  • docs.github.com https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.18
    ProductRelease Notes
  • docs.github.com https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.14
    ProductRelease Notes
  • docs.github.com https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.11
    ProductRelease Notes
  • docs.github.com https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.5
    ProductRelease Notes
  • docs.github.com https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2
    ProductRelease Notes

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.