CVE-2026-1999

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests. This issue only affected repositories that allow forking as the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible in specific scenarios. It required a clean pull request status and only applied to branches without branch protection rules enabled. This vulnerability affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in versions 3.19.2, 3.18.5, and 3.17.11. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.11	Product Release Notes
https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.5	Product Release Notes
https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2	Product Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::

History

19 Feb 2026, 22:07

Type	Values Removed	Values Added
References	~~() https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.11 -~~	() https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.11 - Product, Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.5 -~~	() https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.5 - Product, Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2 -~~	() https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2 - Product, Release Notes
First Time		Github Github enterprise Server
CPE		cpe:2.3:a:github:enterprise_server::::::::
Summary		(es) Una vulnerabilidad de autorización incorrecta fue identificada en GitHub Enterprise Server que permitía a un atacante fusionar su propia solicitud de extracción en un repositorio sin tener acceso de envío al explotar una omisión de autorización en la mutación enable_auto_merge para solicitudes de extracción. Este problema solo afectó a los repositorios que permiten la bifurcación, ya que el ataque se basa en abrir una solicitud de extracción desde una bifurcación controlada por el atacante en el repositorio objetivo. La explotación solo fue posible en escenarios específicos. Requería un estado de solicitud de extracción limpio y solo se aplicaba a ramas sin reglas de protección de rama habilitadas. Esta vulnerabilidad afectó a las versiones de GitHub Enterprise Server anteriores a 3.19.2, 3.18.5 y 3.17.11, y fue corregida en las versiones 3.19.2, 3.18.5 y 3.17.11. Esta vulnerabilidad fue reportada a través del programa GitHub Bug Bounty.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

18 Feb 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-18 21:16

Updated : 2026-02-19 22:07

NVD link : CVE-2026-1999

Mitre link : CVE-2026-1999

CVE.ORG link : CVE-2026-1999

JSON object : View

Products Affected

github

enterprise_server

CWE

CWE-863

Incorrect Authorization

6.5 /10