CVE-2026-0573
📋 TL;DR
An authenticated attacker on GitHub Enterprise Server could exploit an insecure URL redirect in the repository_pages API to leak privileged JWT tokens. This could lead to remote code execution by using the stolen Actions.ManageOrgs token. All GitHub Enterprise Server instances prior to patched versions are affected.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on the GitHub Enterprise Server instance, potentially compromising the entire platform and all hosted repositories.
Likely Case
Unauthorized access to organization management functions, repository manipulation, or data exfiltration using stolen tokens.
If Mitigated
Limited impact with proper network segmentation and monitoring, though token leakage still represents a significant credential exposure.
🎯 Exploit Status
Exploitation requires authenticated access and control over a domain that can receive redirected requests with authorization headers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, or 3.14.22 depending on current version
Vendor Advisory: https://docs.github.com/en/enterprise-server/admin/release-notes
Restart Required: Yes
Instructions:
1. Backup your GitHub Enterprise Server instance. 2. Download the appropriate patch version from GitHub Enterprise releases. 3. Follow the upgrade instructions for your deployment method (VM, AWS, Azure, etc.). 4. Restart the instance after upgrade completes.
🔧 Temporary Workarounds
Network restriction for outbound API calls
allRestrict outbound HTTP requests from GitHub Enterprise Server to only trusted domains to prevent token exfiltration.
Monitor for suspicious redirects
allImplement logging and monitoring for repository_pages API calls with external redirects.
🧯 If You Can't Patch
- Implement strict network egress filtering to prevent GitHub Enterprise Server from making outbound HTTP requests to untrusted domains.
- Monitor authentication logs for unusual token usage patterns and implement alerting for Actions.ManageOrgs JWT usage.
🔍 How to Verify
Check if Vulnerable:
Check your GitHub Enterprise Server version via the Management Console or SSH into the appliance and run 'ghe-version'.Check Version:
ghe-versionVerify Fix Applied:
Verify version is 3.19.2 or higher, or one of the specific patched versions for older releases (3.18.4, 3.17.10, etc.).📡 Detection & Monitoring
Log Indicators:
- Unusual repository_pages API calls with external redirects
- Authentication attempts using Actions.ManageOrgs tokens from unexpected sources
Network Indicators:
- Outbound HTTP requests from GitHub Enterprise Server to unknown domains with authorization headers
SIEM Query:
source="github-enterprise" AND (url_redirect OR repository_pages) AND external_domain🔗 References
- https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.22
- https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.17
- https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.13
- https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.10
- https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.4
- https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2
