Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN442 _____________________________________________________________________ DATE : 29/04/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running GitHub Enterprise Server versions prior to 3.20.1, 3.19.4, 3.18.7, 3.17.13, 3.16.16, 3.15.20, 3.14.25. ===================================================================== https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1-security-fixes https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.4-security-fixes https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.7-security-fixes https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.13-security-fixes https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.16-security-fixes https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.20-security-fixes https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.25-security-fixes _____________________________________________________________________ 3.20.1: Security fixes HIGH: An attacker could gain unauthorized access to private repositories by abusing scoped user-to-server (ghu_) tokens after their associated GitHub App installation was revoked or deleted. In certain cases, the authorization layer could incorrectly fall back to a global installation context instead of rejecting the request, allowing the token to access resources outside its intended installation or repository scope. This issue could be chained with weaknesses in token revocation timing and SSH push attribution to obtain a victim-scoped token and read private repository contents without victim interaction. GitHub has requested CVE ID CVE-2026-5845 for this vulnerability, which was reported via the GitHub Bug Bounty program. HIGH: An attacker could extract sensitive environment variables from a GitHub Enterprise Server instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated Server-Side Request Forgery (SSRF) to internal services. By measuring response time differences, an attacker could infer secret values character by character. GitHub has requested CVE ID CVE-2026-5921 for this vulnerability, which was reported via the GitHub Bug Bounty program. HIGH: A Management Console administrator could inject shell metacharacters into configuration fields via the Management Console configuration API, leading to arbitrary command execution on the appliance as the admin OS user. GitHub has requested CVE ID CVE-2026-4821 for this vulnerability, which was reported via the GitHub Bug Bounty program. HIGH: An attacker with knowledge of a target applications registered OAuth callback URL could gain unauthorized access to user accounts by exploiting incorrect regular expression matching in callback URL validation. GitHub has requested CVE ID CVE-2026-4296 for this vulnerability, which was reported via the GitHub Bug Bounty program. HIGH: An attacker without write access could merge their own pull request into a repository that allowed forks by exploiting an incorrect authorization check in the enable_auto_merge mutation for pull requests. Exploitation required a clean pull request status and only applied to branches without branch protection rules enabled. GitHub has requested CVE ID CVE-2026-1999 for this vulnerability, which was reported via the GitHub Bug Bounty program. MEDIUM: An attacker with permission to manage secret scanning push protection settings in one repository could add or remove delegated bypass reviewers in a different repository by exploiting an incorrect authorization check in the /settings/security_analysis/bypass_reviewers endpoints. Authorization was checked against the repository in the URL route, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers. GitHub has requested CVE ID CVE-2026-3307 for this vulnerability, which was reported via the GitHub Bug Bounty program. MEDIUM: An authenticated attacker could determine the names of private repositories by their numeric ID through the mobile upload policy API endpoint, which returned repository names in validation error messages without verifying the caller's access. GitHub has requested CVE ID CVE-2026-5512 for this vulnerability, which was reported via the GitHub Bug Bounty program. LOW: An attacker could create or modify organization rulesets because Security Managers had unintended access. To mitigate this issue, GitHub updated role-based access controls to prevent Security Managers from changing rulesets. This vulnerability was reported via the GitHub Bug Bounty program. _____________________________________________________________________ 3.19.4: Security fixes HIGH: An attacker with push access to a repository could execute arbitrary code on the instance by injecting malicious values into Git push options. The push options were not properly sanitized before being included in internal headers used for Git operations, allowing the attacker to override internal metadata fields and achieve remote code execution. GitHub has requested CVE ID CVE-2026-3854 for this vulnerability, which was reported via the GitHub Bug Bounty program. HIGH: An authenticated attacker could execute arbitrary JavaScript in another user's browser session. The vulnerability was an HTML-escaping flaw in task list rendering that allowed malicious task list items in issues or comments to bypass Content Security Policy protections. GitHub has requested CVE ID CVE-2026-2266 for this vulnerability, which was reported via the GitHub Bug Bounty program. GitHub has requested CVE ID CVE-2026-2266 for this vulnerability, which was reported via the GitHub Bug Bounty program. MEDIUM: An attacker could use the REST API endpoints /search/commits or /search/issues with a personal access token (classic) that lacks the repo scope to retrieve results from private or internal repositories by using the repo:OWNER/REPO qualifier. GitHub has requested CVE ID CVE-2026-3582 for this vulnerability, which was reported via the GitHub Bug Bounty program. MEDIUM: An attacker with read access to a repository and writea ccess to a project could bypass repository write permissions to modify issue and pull request labels, assignees, and other metadata by adding duplicate items to the project. GitHub has requested CVE ID CVE-2026-3306 for this vulnerability, which was reported via the GitHub Bug Bounty program. _____________________________________________________________________ 3.18.7: Security fixes HIGH: An attacker with push access to a repository could execute arbitrary code on the instance by injecting malicious values into Git push options. The push options were not properly sanitized before being included in internal headers used for Git operations, allowing the attacker to override internal metadata fields and achieve remote code execution. GitHub has requested CVE ID CVE-2026-3854 for this vulnerability, which was reported via the GitHub Bug Bounty program. MEDIUM: An attacker could use the REST API endpoints /search/commits or /search/issues with a personal access token (classic) that lacks the repo scope to retrieve results from private or internal repositories by using the repo:OWNER/REPO qualifier. GitHub has requested CVE ID CVE-2026-3582 for this vulnerability, which was reported via the GitHub Bug Bounty program. MEDIUM: An attacker with read access to a repository and write access to a project could bypass repository write permissions to modify issue and pull request labels, assignees, and other metadata by adding duplicate items to the project. GitHub has requested CVE ID CVE-2026-3306 for this vulnerability, which was reported via the GitHub Bug Bounty program. HIGH: An authenticated attacker could execute arbitrary JavaScript in another user's browser session. The vulnerability was an HTML-escaping flaw in task list rendering that allowed malicious task list items in issues or comments to bypass Content Security Policy protections. GitHub has requested CVE ID CVE-2026-2266 for this vulnerability, which was reported via the GitHub Bug Bounty program. GitHub has requested CVE ID CVE-2026-2266 for this vulnerability, which was reported via the GitHub Bug Bounty program. _____________________________________________________________________ 3.17.13: Security fixes HIGH: An attacker with push access to a repository could execute arbitrary code on the instance by injecting malicious values into Git push options. The push options were not properly sanitized before being included in internal headers used for Git operations, allowing the attacker to override internal metadata fields and achieve remote code execution. GitHub has requested CVE ID CVE-2026-3854 for this vulnerability, which was reported via the GitHub Bug Bounty program. MEDIUM: An attacker could use the REST API endpoints /search/commits or /search/issues with a personal access token (classic) that lacks the repo scope to retrieve results from private or internal repositories by using the repo:OWNER/REPO qualifier. GitHub has requested CVE ID CVE-2026-3582 for this vulnerability, which was reported via the GitHub Bug Bounty program. MEDIUM: An attacker with read access to a repository and write access to a project could bypass repository write permissions to modify issue and pull request labels, assignees, and other metadata by adding duplicate items to the project. GitHub has requested CVE ID CVE-2026-3306 for this vulnerability, which was reported via the GitHub Bug Bounty program. _____________________________________________________________________ 3.16.16: Security fixes HIGH: An attacker with push access to a repository could execute arbitrary code on the instance by injecting malicious values into Git push options. The push options were not properly sanitized before being included in internal headers used for Git operations, allowing the attacker to override internal metadata fields and achieve remote code execution. GitHub has requested CVE ID CVE-2026-3854 for this vulnerability, which was reported via the GitHub Bug Bounty program. MEDIUM: An attacker could use the REST API endpoints /search/commits or /search/issues with a personal access token (classic) that lacks the repo scope to retrieve results from private or internal repositories by using the repo:OWNER/REPO qualifier. GitHub has requested CVE ID CVE-2026-3582 for this vulnerability, which was reported via the GitHub Bug Bounty program. MEDIUM: An attacker with read access to a repository and write access to a project could bypass repository write permissions to modify issue and pull request labels, assignees, and other metadata by adding duplicate items to the project. GitHub has requested CVE ID CVE-2026-3306 for this vulnerability, which was reported via the GitHub Bug Bounty program. _____________________________________________________________________ 3.15.20: Security fixes HIGH: An attacker with push access to a repository could execute arbitrary code on the instance by injecting malicious values into Git push options. The push options were not properly sanitized before being included in internal headers used for Git operations, allowing the attacker to override internal metadata fields and achieve remote code execution. GitHub has requested CVE ID CVE-2026-3854 for this vulnerability, which was reported via the GitHub Bug Bounty program. MEDIUM: An attacker with read access to a repository and write access to a project could bypass repository write permissions to modify issue and pull request labels, assignees, and other metadata by adding duplicate items to the project. GitHub has requested CVE ID CVE-2026-3306 for this vulnerability, which was reported via the GitHub Bug Bounty program. _____________________________________________________________________ 3.14.25: Security fixes HIGH: An attacker with push access to a repository could execute arbitrary code on the instance by injecting malicious values into Git push options. The push options were not properly sanitized before being included in internal headers used for Git operations, allowing the attacker to override internal metadata fields and achieve remote code execution. GitHub has requested CVE ID CVE-2026-3854 for this vulnerability, which was reported via the GitHub Bug Bounty program. MEDIUM: An attacker with read access to a repository and write access to a project could bypass repository write permissions to modify issue and pull request labels, assignees, and other metadata by adding duplicate items to the project. GitHub has requested CVE ID CVE-2026-3306 for this vulnerability, which was reported via the GitHub Bug Bounty program. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================