{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5512", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "state": "PUBLISHED", "assignerShortName": "GitHub_P", "dateReserved": "2026-04-03T18:21:52.907Z", "datePublished": "2026-04-21T22:12:58.344Z", "dateUpdated": "2026-04-21T22:14:01.033Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2026-04-21T22:14:01.033Z"}, "title": "Improper authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository names via mobile upload policy API", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-201", "description": "CWE-201 Insertion of sensitive information into sent data", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-113", "descriptions": [{"lang": "en", "value": "CAPEC-113 Interface Manipulation"}]}], "affected": [{"vendor": "GitHub", "product": "Enterprise Server", "versions": [{"status": "affected", "version": "3.14.0", "lessThanOrEqual": "3.14.25", "changes": [{"at": "3.14.26", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.15.0", "lessThanOrEqual": "3.15.20", "changes": [{"at": "3.15.21", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.16.0", "lessThanOrEqual": "3.16.16", "changes": [{"at": "3.16.17", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.17.0", "lessThanOrEqual": "3.17.13", "changes": [{"at": "3.17.14", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.18.0", "lessThanOrEqual": "3.18.7", "changes": [{"at": "3.18.8", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.19.0", "lessThanOrEqual": "3.19.4", "changes": [{"at": "3.19.5", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.20.0", "lessThan": "3.20.1", "changes": [{"at": "3.20.1", "status": "unaffected"}], "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not perform an early authorization check, and validation error messages included the full repository name for repositories the caller did not have access to. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not perform an early authorization check, and validation error messages included the full repository name for repositories the caller did not have access to. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.<br>"}]}], "references": [{"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26"}, {"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21"}, {"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17"}, {"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14"}, {"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8"}, {"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5"}, {"url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N"}}], "credits": [{"lang": "en", "value": "ahacker1", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not perform an early authorization check, and validation error messages included the full repository name for repositories the caller did not have access to. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program."}], "id": "CVE-2026-5512", "lastModified": "2026-04-21T23:16:22.297", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "product-cna@github.com", "type": "Secondary"}]}, "published": "2026-04-21T23:16:22.297", "references": [{"source": "product-cna@github.com", "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26"}, {"source": "product-cna@github.com", "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21"}, {"source": "product-cna@github.com", "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17"}, {"source": "product-cna@github.com", "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14"}, {"source": "product-cna@github.com", "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8"}, {"source": "product-cna@github.com", "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5"}, {"source": "product-cna@github.com", "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"}], "sourceIdentifier": "product-cna@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "product-cna@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.14.0,3.14.25]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.15.0,3.15.20]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.16.0,3.16.16]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.17.0,3.17.13]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.18.0,3.18.7]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.19.0,3.19.4]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.20.0,3.20.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Enterprise Server", "source": "cna", "vendor": "GitHub"}, "product": "enterprise_server", "vendor": "github"}], "analysis": {"en": {"generated_at": "2026-04-22T06:17:39.859572+00:00", "value": {"mitigation_remediation": ["Upgrade GitHub Enterprise Server to version 3.21 or any of the patched releases (3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, or 3.14.26).", "Verify that the mobile upload policy API does not expose repository names in error messages and enforce early authorization for all requests.", "Restrict access to the mobile upload policy endpoint to users with legitimate repository permission and monitor for abnormal API usage patterns."], "summary": {"action": "Patch Immediately", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all GitHub Enterprise Server releases prior to 3.21. Fixes have been applied in 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. Ops teams should verify which exact minor release they are running and plan to upgrade to a patched version.", "description_and_impact": "An improper authorization flaw in the mobile upload policy API of GitHub Enterprise Server allowed an authenticated attacker to learn the names of private repositories by their numeric IDs. When the API produced a validation error, the response contained the full repository name even for repositories the caller could not access. The weakness is a classic CWE\u2011201 situation where authorization is omitted, enabling confidential information to be exposed to users who do not have permission to view it. The CVSS score of 5.3 indicates a moderate risk to confidentiality.", "risk_and_exploitability": "The likely attack vector is an authenticated request to the mobile upload policy endpoint, as the vulnerability is triggered by a validation error from this API. Because the attacker needs any authenticated session with the server, the exploit is feasible for users with compromised or reused credentials. The EPSS score is not available, and the vulnerability is not in the CISA KEV, but the CVSS of 5.3 and the fact that the flaw is purely informational still present a meaningful threat to confidentiality. Organizations should treat this as an elevated risk until the server is updated."}}}}, "created": "2026-04-22T03:45:06.828853+00:00", "updated": "2026-04-22T06:30:10.665666+00:00", "vendors": ["github", "github$PRODUCT$enterprise_server"]}