CVE-2026-1999

EUVD-2026-7963
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests. This issue only affected repositories that allow forking as the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible in specific scenarios. It required a clean pull request status and only applied to branches without branch protection rules enabled. This vulnerability affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in versions 3.19.2, 3.18.5, and 3.17.11. This vulnerability was reported via the GitHub Bug Bounty program.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
GitHub_PCNA
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Affected Products (NVD)
VendorProductVersion
githubenterprise_server
𝑥
< 3.17.11
githubenterprise_server
3.18.0 ≤
𝑥
< 3.18.5
githubenterprise_server
3.19.0 ≤
𝑥
< 3.19.2
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
githubgithub
3.17.0 ≤
𝑥
< 3.17.11
CNA
githubgithub
3.18.0 ≤
𝑥
< 3.18.5
CNA
githubgithub
3.19.0 ≤
𝑥
< 3.19.2
CNA
Common Weakness Enumeration
References
https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.11
https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.5
https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2