CVE-2026-6736

Summary

An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the authentication restriction, allowing account creation and session establishment without identity provider validation. The created account was limited to the default base permissions configured on the instance. Exploitation required network access to a GHES instance configured with an external authentication provider. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18.

Affected Software

VendorProductVersion RangeStatus
GitHubEnterprise Server3.16.0 <= 3.16.17affected
GitHubEnterprise Server3.17.0 <= 3.17.14affected
GitHubEnterprise Server3.18.0 <= 3.18.8affected
GitHubEnterprise Server3.19.0 <= 3.19.5affected
GitHubEnterprise Server3.20.0 <= 3.20.1affected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References