CVE-2026-1355
📋 TL;DR
A Missing Authorization vulnerability in GitHub Enterprise Server allows authenticated attackers to upload unauthorized content to other users' repository migration exports. By exploiting the missing authorization check in the migration upload endpoint, attackers can overwrite victims' migration archives, potentially causing victims to download attacker-controlled repository data during migration restores. This affects all GitHub Enterprise Server instances prior to version 3.20.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious code or sensitive data into victim repositories, leading to supply chain attacks, data breaches, or repository corruption during migration restores.
Likely Case
Unauthorized modification of repository migration archives, potentially causing data integrity issues or exposure to malicious content during automated imports.
If Mitigated
Limited to authenticated users only, with proper access controls preventing unauthorized uploads to other users' migration exports.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of migration identifiers. No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, 3.14.23
Vendor Advisory: https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.23
Restart Required: Yes
Instructions:
1. Backup your GitHub Enterprise Server instance. 2. Download the appropriate patched version from GitHub Enterprise Server releases. 3. Follow GitHub's upgrade documentation for your current version. 4. Apply the patch and restart the instance. 5. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Restrict Repository Migration Access
allLimit repository migration functionality to trusted administrators only through access controls.
🧯 If You Can't Patch
- Implement strict access controls to limit who can perform repository migrations.
- Monitor migration logs for unauthorized upload attempts and review all migration activities.
🔍 How to Verify
Check if Vulnerable:
Check your GitHub Enterprise Server version via the Management Console or SSH into the appliance and run 'ghe-version'.Check Version:
ghe-versionVerify Fix Applied:
Verify the version is 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, 3.14.23 or later, and test repository migration uploads with proper authorization checks.📡 Detection & Monitoring
Log Indicators:
- Unauthorized POST requests to repository migration upload endpoints
- Failed authorization attempts on migration endpoints
- Unexpected migration archive modifications
Network Indicators:
- Unusual migration-related API traffic patterns
- Suspicious uploads to migration endpoints from unauthorized users
SIEM Query:
source="github-enterprise" AND (event="repository_migration" AND action="upload" AND result="success") | stats count by user🔗 References
- https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.23
- https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.18
- https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.14
- https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.11
- https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.5
- https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2
