GHSA-GFJ9-8V3R-JH2Q
Vulnerability from github – Published: 2026-06-30 21:31 – Updated: 2026-06-30 21:31
VLAI
Details
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.
Severity
{
"affected": [],
"aliases": [
"CVE-2026-9106"
],
"database_specific": {
"cwe_ids": [
"CWE-451"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T21:16:30Z",
"severity": "MODERATE"
},
"details": "A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization\u0027s runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.",
"id": "GHSA-gfj9-8v3r-jh2q",
"modified": "2026-06-30T21:31:45Z",
"published": "2026-06-30T21:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9106"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.20"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.17"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.11"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.8"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.4"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…