CVE-2026-1999

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests. This issue only affected repositories that allow forking as the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible in specific scenarios. It required a clean pull request status and only applied to branches without branch protection rules enabled. This vulnerability affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in versions 3.19.2, 3.18.5, and 3.17.11. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.11
https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.5
https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::

History

08 Apr 2026, 22:16

Type	Values Removed	Values Added
Summary	(en) A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to access internal services bound to loopback or unspecified addresses, potentially disrupting background job processing, accessing administrative endpoints, metrics, and profiling data, or manipulating job queues. Exploitation required an authenticated user with permissions to configure webhooks (repository, organization, or GitHub App administrator privileges). This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.14.22, 3.15.17, 3.16.13, 3.17.10, 3.18.4, and 3.19.1. This vulnerability was reported via the GitHub Bug Bounty program.	(en) An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests. This issue only affected repositories that allow forking as the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible in specific scenarios. It required a clean pull request status and only applied to branches without branch protection rules enabled. This vulnerability affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in versions 3.19.2, 3.18.5, and 3.17.11. This vulnerability was reported via the GitHub Bug Bounty program.
CWE	~~CWE-918~~	CWE-863
References	~~{'url': 'https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.22', 'source': 'product-cna@github.com'}~~ ~~{'url': 'https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.17', 'source': 'product-cna@github.com'}~~ ~~{'url': 'https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.13', 'source': 'product-cna@github.com'}~~ ~~{'url': 'https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.10', 'source': 'product-cna@github.com'}~~ ~~{'url': 'https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.4', 'source': 'product-cna@github.com'}~~ ~~{'url': 'https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.1', 'source': 'product-cna@github.com'}~~	() https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.11 - () https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.5 - () https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2 -

03 Mar 2026, 16:16

Type	Values Removed	Values Added
CWE	~~CWE-863~~	CWE-918
Summary	(en) An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests. This issue only affected repositories that allow forking as the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible in specific scenarios. It required a clean pull request status and only applied to branches without branch protection rules enabled. This vulnerability affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in versions 3.19.2, 3.18.5, and 3.17.11. This vulnerability was reported via the GitHub Bug Bounty program.	(en) A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to access internal services bound to loopback or unspecified addresses, potentially disrupting background job processing, accessing administrative endpoints, metrics, and profiling data, or manipulating job queues. Exploitation required an authenticated user with permissions to configure webhooks (repository, organization, or GitHub App administrator privileges). This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.14.22, 3.15.17, 3.16.13, 3.17.10, 3.18.4, and 3.19.1. This vulnerability was reported via the GitHub Bug Bounty program.
References	~~{'url': 'https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.11', 'tags': ['Product', 'Release Notes'], 'source': 'product-cna@github.com'}~~ ~~{'url': 'https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.5', 'tags': ['Product', 'Release Notes'], 'source': 'product-cna@github.com'}~~ ~~{'url': 'https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2', 'tags': ['Product', 'Release Notes'], 'source': 'product-cna@github.com'}~~	() https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.22 - () https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.17 - () https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.13 - () https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.10 - () https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.4 - () https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.1 -

19 Feb 2026, 22:07

Type	Values Removed	Values Added
References	~~() https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.11 -~~	() https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.11 - Product, Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.5 -~~	() https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.5 - Product, Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2 -~~	() https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2 - Product, Release Notes
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
First Time		Github Github enterprise Server
CPE		cpe:2.3:a:github:enterprise_server::::::::
Summary		(es) Una vulnerabilidad de autorización incorrecta fue identificada en GitHub Enterprise Server que permitía a un atacante fusionar su propia solicitud de extracción en un repositorio sin tener acceso de envío al explotar una omisión de autorización en la mutación enable_auto_merge para solicitudes de extracción. Este problema solo afectó a los repositorios que permiten la bifurcación, ya que el ataque se basa en abrir una solicitud de extracción desde una bifurcación controlada por el atacante en el repositorio objetivo. La explotación solo fue posible en escenarios específicos. Requería un estado de solicitud de extracción limpio y solo se aplicaba a ramas sin reglas de protección de rama habilitadas. Esta vulnerabilidad afectó a las versiones de GitHub Enterprise Server anteriores a 3.19.2, 3.18.5 y 3.17.11, y fue corregida en las versiones 3.19.2, 3.18.5 y 3.17.11. Esta vulnerabilidad fue reportada a través del programa GitHub Bug Bounty.

18 Feb 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-18 21:16

Updated : 2026-04-08 22:16

NVD link : CVE-2026-1999

Mitre link : CVE-2026-1999

CVE.ORG link : CVE-2026-1999

JSON object : View

Products Affected

github

enterprise_server

CWE

CWE-863

Incorrect Authorization

6.5 /10