CVE-2026-3582 (GCVE-0-2026-3582)
Vulnerability from cvelistv5 – Published: 2026-03-10 18:56 – Updated: 2026-03-11 14:13
VLAI?
Title
Incorrect Authorization in GitHub Enterprise Server allows access to issue and commit search results without repo scope
Summary
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user must have had existing access to the repository through organization membership or as a collaborator for the vulnerability to be exploitable. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.16.15, 3.17.12, 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.16.0 , ≤ 3.16.14
(semver)
Affected: 3.17.0 , ≤ 3.17.11 (semver) Affected: 3.18.0 , ≤ 3.18.5 (semver) Affected: 3.19.0 , ≤ 3.19.2 (semver) |
Credits
Sergej Ljubojevic
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3582",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T14:13:37.842686Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T14:13:44.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.16.15",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.16.14",
"status": "affected",
"version": "3.16.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.11",
"status": "affected",
"version": "3.17.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.18.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.18.5",
"status": "affected",
"version": "3.18.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.19.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.19.2",
"status": "affected",
"version": "3.19.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sergej Ljubojevic"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user must have had existing access to the repository through organization membership or as a collaborator for the vulnerability to be exploitable. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.16.15, 3.17.12, 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"value": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user must have had existing access to the repository through organization membership or as a collaborator for the vulnerability to be exploitable. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.16.15, 3.17.12, 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T18:56:56.506Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.15"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.12"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.6"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect Authorization in GitHub Enterprise Server allows access to issue and commit search results without repo scope",
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2026-3582",
"datePublished": "2026-03-10T18:56:56.506Z",
"dateReserved": "2026-03-05T02:19:50.739Z",
"dateUpdated": "2026-03-11T14:13:44.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-3582\",\"sourceIdentifier\":\"product-cna@github.com\",\"published\":\"2026-03-10T20:16:41.373\",\"lastModified\":\"2026-03-12T18:42:24.297\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user must have had existing access to the repository through organization membership or as a collaborator for the vulnerability to be exploitable. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.16.15, 3.17.12, 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de autorizaci\u00f3n incorrecta fue identificada en GitHub Enterprise Server que permit\u00eda a un usuario autenticado con un token de acceso personal (PAT) cl\u00e1sico que carec\u00eda del alcance \u0027repo\u0027 recuperar incidencias y commits de repositorios privados e internos a trav\u00e9s de los puntos finales de la API REST de b\u00fasqueda. El usuario deb\u00eda tener acceso existente al repositorio a trav\u00e9s de la membres\u00eda de la organizaci\u00f3n o como colaborador para que la vulnerabilidad fuera explotable. Esta vulnerabilidad afect\u00f3 a todas las versiones de GitHub Enterprise Server anteriores a la 3.20 y fue corregida en las versiones 3.16.15, 3.17.12, 3.18.6 y 3.19.3. Esta vulnerabilidad fue reportada a trav\u00e9s del programa GitHub Bug Bounty.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"product-cna@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"product-cna@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.16.15\",\"matchCriteriaId\":\"0D5AE5C2-BDBC-4E40-A76D-324DA579F6AF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.17.0\",\"versionEndExcluding\":\"3.17.12\",\"matchCriteriaId\":\"71BDBBDA-966C-419F-8D4F-5E7FB2411AE8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.18.0\",\"versionEndExcluding\":\"3.18.6\",\"matchCriteriaId\":\"32CB5071-12A8-4C9A-9572-4FBC5C20F869\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.19.0\",\"versionEndExcluding\":\"3.19.3\",\"matchCriteriaId\":\"F7BDDDA3-FE7D-45F6-842C-0D023D926E18\"}]}]}],\"references\":[{\"url\":\"https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.15\",\"source\":\"product-cna@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.12\",\"source\":\"product-cna@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.6\",\"source\":\"product-cna@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.3\",\"source\":\"product-cna@github.com\",\"tags\":[\"Release Notes\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Incorrect Authorization in GitHub Enterprise Server allows access to issue and commit search results without repo scope\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Sergej Ljubojevic\"}], \"impacts\": [{\"capecId\": \"CAPEC-1\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"GitHub\", \"product\": \"Enterprise Server\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"3.16.15\", \"status\": \"unaffected\"}], \"version\": \"3.16.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.16.14\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"3.17.12\", \"status\": \"unaffected\"}], \"version\": \"3.17.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.17.11\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"3.18.6\", \"status\": \"unaffected\"}], \"version\": \"3.18.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.18.5\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"3.19.3\", \"status\": \"unaffected\"}], \"version\": \"3.19.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.19.2\"}], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.15\"}, {\"url\": \"https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.12\"}, {\"url\": \"https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.6\"}, {\"url\": \"https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.3\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user must have had existing access to the repository through organization membership or as a collaborator for the vulnerability to be exploitable. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.16.15, 3.17.12, 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user must have had existing access to the repository through organization membership or as a collaborator for the vulnerability to be exploitable. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.16.15, 3.17.12, 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"82327ea3-741d-41e4-88f8-2cf9e791e760\", \"shortName\": \"GitHub_P\", \"dateUpdated\": \"2026-03-10T18:56:56.506Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-3582\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-11T14:13:37.842686Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-03-11T14:13:41.364Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-3582\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-10T18:56:56.506Z\", \"dateReserved\": \"2026-03-05T02:19:50.739Z\", \"assignerOrgId\": \"82327ea3-741d-41e4-88f8-2cf9e791e760\", \"datePublished\": \"2026-03-10T18:56:56.506Z\", \"assignerShortName\": \"GitHub_P\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…