PatchSiren cyber security CVE debrief
CVE-2026-15783 GitHub CVE debrief
A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with write access to any repository to read metadata from private repositories they did not have access to. The vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. This vulnerability could allow an attacker to enumerate identifiers across the instance and read metadata from private repositories, potentially leading to unauthorized access to sensitive information.
- Vendor
- GitHub
- Product
- Enterprise Server
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Administrators and users of GitHub Enterprise Server, especially those with write access to repositories, should be aware of this vulnerability and take necessary actions to protect their instances. This includes updating to a fixed version, restricting write access to repositories, and monitoring repository access and metadata retrieval.
Technical summary
The vulnerability was caused by a delegated bypass endpoint that resolved a rule suite directly from an attacker-supplied, encoded identifier without verifying that the requesting user could read the rule suite's repository. This allowed an attacker to enumerate identifiers across the instance and read metadata from private repositories. The vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. The fix involves updating the endpoint to properly verify user access to the rule suite's repository.
Defensive priority
Medium
Recommended defensive actions
- Update GitHub Enterprise Server to a fixed version (3.17.18, 3.18.12, 3.19.9, 3.20.5, or 3.21.3)
- Restrict write access to repositories to only authorized users
- Monitor repository access and metadata retrieval
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The vulnerability was reported via the GitHub Bug Bounty program. The CVE record was published on 2026-07-17T16:17:14.183Z and last modified on 2026-07-17T18:11:59.263Z. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected systems and apply patches or mitigations as needed.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T16:17:14.183Z and has not been modified since then.