CVE-2026-1999

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-1999

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

A

Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to access internal services bound to loopback or unspecified addresses, potentially disrupting background job processing, accessing administrative endpoints, metrics, and profiling data, or manipulating job queues. Exploitation required an authenticated user with permissions to configure webhooks (repository, organization, or GitHub App administrator privileges). This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.14.22, 3.15.17, 3.16.13, 3.17.10, 3.18.4, and 3.19.1. This vulnerability was reported via the GitHub Bug Bounty program.

References
Link Resource
https://docs.github.com/en/[email protected]/admin/release-notes#3.14.22
https://docs.github.com/en/[email protected]/admin/release-notes#3.15.17
https://docs.github.com/en/[email protected]/admin/release-notes#3.16.13
https://docs.github.com/en/[email protected]/admin/release-notes#3.17.10
https://docs.github.com/en/[email protected]/admin/release-notes#3.18.4
https://docs.github.com/en/[email protected]/admin/release-notes#3.19.1
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
History

03 Mar 2026, 16:16

Type Values Removed Values Added
CWE CWE-863 CWE-918
Summary (en) An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests. This issue only affected repositories that allow forking as the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible in specific scenarios. It required a clean pull request status and only applied to branches without branch protection rules enabled. This vulnerability affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in versions 3.19.2, 3.18.5, and 3.17.11. This vulnerability was reported via the GitHub Bug Bounty program. (en) A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to access internal services bound to loopback or unspecified addresses, potentially disrupting background job processing, accessing administrative endpoints, metrics, and profiling data, or manipulating job queues. Exploitation required an authenticated user with permissions to configure webhooks (repository, organization, or GitHub App administrator privileges). This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.14.22, 3.15.17, 3.16.13, 3.17.10, 3.18.4, and 3.19.1. This vulnerability was reported via the GitHub Bug Bounty program.
References

19 Feb 2026, 22:07

Type Values Removed Values Added
First Time Github enterprise Server
Github
References () https://docs.github.com/en/[email protected]/admin/release-notes#3.17.11 - () https://docs.github.com/en/[email protected]/admin/release-notes#3.17.11 - Product, Release Notes
References () https://docs.github.com/en/[email protected]/admin/release-notes#3.18.5 - () https://docs.github.com/en/[email protected]/admin/release-notes#3.18.5 - Product, Release Notes
References () https://docs.github.com/en/[email protected]/admin/release-notes#3.19.2 - () https://docs.github.com/en/[email protected]/admin/release-notes#3.19.2 - Product, Release Notes
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5
Summary
  • (es) Una vulnerabilidad de autorización incorrecta fue identificada en GitHub Enterprise Server que permitía a un atacante fusionar su propia solicitud de extracción en un repositorio sin tener acceso de envío al explotar una omisión de autorización en la mutación enable_auto_merge para solicitudes de extracción. Este problema solo afectó a los repositorios que permiten la bifurcación, ya que el ataque se basa en abrir una solicitud de extracción desde una bifurcación controlada por el atacante en el repositorio objetivo. La explotación solo fue posible en escenarios específicos. Requería un estado de solicitud de extracción limpio y solo se aplicaba a ramas sin reglas de protección de rama habilitadas. Esta vulnerabilidad afectó a las versiones de GitHub Enterprise Server anteriores a 3.19.2, 3.18.5 y 3.17.11, y fue corregida en las versiones 3.19.2, 3.18.5 y 3.17.11. Esta vulnerabilidad fue reportada a través del programa GitHub Bug Bounty.
CPE cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*

18 Feb 2026, 21:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-18 21:16

Updated : 2026-03-03 16:16

NVD link : CVE-2026-1999

Mitre link : CVE-2026-1999

CVE.ORG link : CVE-2026-1999

JSON object : View

Products Affected

github

CWE
CWE-918

Server-Side Request Forgery (SSRF)