PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15783 GitHub CVE debrief

A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with write access to any repository to read metadata from private repositories they did not have access to. The vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. This vulnerability could allow an attacker to enumerate identifiers across the instance and read metadata from private repositories, potentially leading to unauthorized access to sensitive information.

Vendor
GitHub
Product
Enterprise Server
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Administrators and users of GitHub Enterprise Server, especially those with write access to repositories, should be aware of this vulnerability and take necessary actions to protect their instances. This includes updating to a fixed version, restricting write access to repositories, and monitoring repository access and metadata retrieval.

Technical summary

The vulnerability was caused by a delegated bypass endpoint that resolved a rule suite directly from an attacker-supplied, encoded identifier without verifying that the requesting user could read the rule suite's repository. This allowed an attacker to enumerate identifiers across the instance and read metadata from private repositories. The vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. The fix involves updating the endpoint to properly verify user access to the rule suite's repository.

Defensive priority

Medium

Recommended defensive actions

  • Update GitHub Enterprise Server to a fixed version (3.17.18, 3.18.12, 3.19.9, 3.20.5, or 3.21.3)
  • Restrict write access to repositories to only authorized users
  • Monitor repository access and metadata retrieval
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The vulnerability was reported via the GitHub Bug Bounty program. The CVE record was published on 2026-07-17T16:17:14.183Z and last modified on 2026-07-17T18:11:59.263Z. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected systems and apply patches or mitigations as needed.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T16:17:14.183Z and has not been modified since then.