mediumCVE-2026-14340

CVE-2026-14340 in GitHub Enterprise Server

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a user-to-server token scoped to a GitHub App installation to perform certain write operations on public repositories outside the token's intended scope. This was possible because the authorization check only verified that the installation had read permissions on the target repository rather than verifying that the token's installation was explicitly granted access to that repository. An attacker who obtained a victim's user-to-server token could create issues, issue comments, commit comments, and private vulnerability reports on any public repository, appearing as the victim user with no indication of the app involvement. This vulnerability was fixed by adding a repository scope check for user-to-server tokens issued by global apps. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.

ProductGitHub Enterprise Server
CVSS5.3
EPSSNot scored yet
UpdatedJuly 14, 2026

Quick answer

GitHub Enterprise Server should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • GitHub Enterprise Server 3.16.0 through 3.16.19
  • GitHub Enterprise Server 3.17.0 through 3.17.16
  • GitHub Enterprise Server 3.18.0 through 3.18.10
  • GitHub Enterprise Server 3.19.0 through 3.19.7
  • GitHub Enterprise Server 3.20.0 through 3.20.3
  • GitHub Enterprise Server 3.21.0 through 3.21.1

Fixed versions

  • GitHub Enterprise Server 3.16.20 or later
  • GitHub Enterprise Server 3.17.17 or later
  • GitHub Enterprise Server 3.18.11 or later
  • GitHub Enterprise Server 3.19.8 or later
  • GitHub Enterprise Server 3.20.4 or later
  • GitHub Enterprise Server 3.21.2 or later

How to fix it

CVE-2026-14340 affects GitHub Enterprise Server. The issue means a user may do actions outside their intended permissions. Treat it as a priority if this software is reachable by users, admins, browsers, or the network. Update to GitHub Enterprise Server 3.16.20 or later, or follow the linked vendor advisory if your branch needs a backport.

  1. Inventory every GitHub Enterprise Server install, package, server, browser, or managed device in use.
  2. Compare installed versions with the affected range: GitHub Enterprise Server 3.16.0 through 3.16.19; GitHub Enterprise Server 3.17.0 through 3.17.16; GitHub Enterprise Server 3.18.0 through 3.18.10; GitHub Enterprise Server 3.19.0 through 3.19.7; GitHub Enterprise Server 3.20.0 through 3.20.3; GitHub Enterprise Server 3.21.0 through 3.21.1.
  3. Update to GitHub Enterprise Server 3.16.20 or later.
  4. If you cannot update today, restrict access to trusted users and trusted networks only.
  5. Review logs for crashes, failed requests, privilege changes, unusual data access, or exploit alerts.
  6. Rotate secrets, tokens, and passwords if exposure or abuse is suspected.
  7. Document the update and keep the advisory link with the change record.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm the installed version matches the fixed guidance: GitHub Enterprise Server 3.16.20 or later; GitHub Enterprise Server 3.17.17 or later; GitHub Enterprise Server 3.18.11 or later; GitHub Enterprise Server 3.19.8 or later; GitHub Enterprise Server 3.20.4 or later; GitHub Enterprise Server 3.21.2 or later.
  • Confirm risky admin, API, browser, or network exposure is reduced.
  • Retest the affected workflow after the update or mitigation.
  • Review logs again after patching for repeated suspicious activity.
  • Run a new Fixnx scan where the affected software is part of the public site.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-14340?

GitHub Enterprise Server versions listed as affected should be reviewed: GitHub Enterprise Server 3.16.0 through 3.16.19, GitHub Enterprise Server 3.17.0 through 3.17.16, GitHub Enterprise Server 3.18.0 through 3.18.10, GitHub Enterprise Server 3.19.0 through 3.19.7, GitHub Enterprise Server 3.20.0 through 3.20.3, GitHub Enterprise Server 3.21.0 through 3.21.1.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.