{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3582", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "state": "PUBLISHED", "assignerShortName": "GitHub_P", "dateReserved": "2026-03-05T02:19:50.739Z", "datePublished": "2026-03-10T18:56:56.506Z", "dateUpdated": "2026-03-11T14:13:44.860Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2026-03-10T18:56:56.506Z"}, "title": "Incorrect Authorization in GitHub Enterprise Server allows access to issue and commit search results without repo scope", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "affected": [{"vendor": "GitHub", "product": "Enterprise Server", "versions": [{"status": "affected", "version": "3.16.0", "lessThanOrEqual": "3.16.14", "changes": [{"at": "3.16.15", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.17.0", "lessThanOrEqual": "3.17.11", "changes": [{"at": "3.17.12", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.18.0", "lessThanOrEqual": "3.18.5", "changes": [{"at": "3.18.6", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.19.0", "lessThanOrEqual": "3.19.2", "changes": [{"at": "3.19.3", "status": "unaffected"}], "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user must have had existing access to the repository through organization membership or as a collaborator for the vulnerability to be exploitable. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.16.15, 3.17.12, 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user must have had existing access to the repository through organization membership or as a collaborator for the vulnerability to be exploitable. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.16.15, 3.17.12, 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program."}]}], "references": [{"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.15"}, {"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.12"}, {"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.6"}, {"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.3"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Sergej Ljubojevic", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:13:37.842686Z", "id": "CVE-2026-3582", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:13:44.860Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3582", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T14:13:37.842686Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:13:41.364Z"}}], "cna": {"title": "Incorrect Authorization in GitHub Enterprise Server allows access to issue and commit search results without repo scope", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Sergej Ljubojevic"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "GitHub", "product": "Enterprise Server", "versions": [{"status": "affected", "changes": [{"at": "3.16.15", "status": "unaffected"}], "version": "3.16.0", "versionType": "semver", "lessThanOrEqual": "3.16.14"}, {"status": "affected", "changes": [{"at": "3.17.12", "status": "unaffected"}], "version": "3.17.0", "versionType": "semver", "lessThanOrEqual": "3.17.11"}, {"status": "affected", "changes": [{"at": "3.18.6", "status": "unaffected"}], "version": "3.18.0", "versionType": "semver", "lessThanOrEqual": "3.18.5"}, {"status": "affected", "changes": [{"at": "3.19.3", "status": "unaffected"}], "version": "3.19.0", "versionType": "semver", "lessThanOrEqual": "3.19.2"}], "defaultStatus": "affected"}], "references": [{"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.15"}, {"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.12"}, {"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.6"}, {"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.3"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user must have had existing access to the repository through organization membership or as a collaborator for the vulnerability to be exploitable. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.16.15, 3.17.12, 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.", "supportingMedia": [{"type": "text/html", "value": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user must have had existing access to the repository through organization membership or as a collaborator for the vulnerability to be exploitable. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.16.15, 3.17.12, 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2026-03-10T18:56:56.506Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3582", "state": "PUBLISHED", "dateUpdated": "2026-03-11T14:13:44.860Z", "dateReserved": "2026-03-05T02:19:50.739Z", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "datePublished": "2026-03-10T18:56:56.506Z", "assignerShortName": "GitHub_P"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user must have had existing access to the repository through organization membership or as a collaborator for the vulnerability to be exploitable. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.16.15, 3.17.12, 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program."}, {"lang": "es", "value": "Una vulnerabilidad de autorizaci\u00f3n incorrecta fue identificada en GitHub Enterprise Server que permit\u00eda a un usuario autenticado con un token de acceso personal (PAT) cl\u00e1sico que carec\u00eda del alcance 'repo' recuperar incidencias y commits de repositorios privados e internos a trav\u00e9s de los puntos finales de la API REST de b\u00fasqueda. El usuario deb\u00eda tener acceso existente al repositorio a trav\u00e9s de la membres\u00eda de la organizaci\u00f3n o como colaborador para que la vulnerabilidad fuera explotable. Esta vulnerabilidad afect\u00f3 a todas las versiones de GitHub Enterprise Server anteriores a la 3.20 y fue corregida en las versiones 3.16.15, 3.17.12, 3.18.6 y 3.19.3. Esta vulnerabilidad fue reportada a trav\u00e9s del programa GitHub Bug Bounty."}], "id": "CVE-2026-3582", "lastModified": "2026-03-11T13:52:47.683", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "product-cna@github.com", "type": "Secondary"}]}, "published": "2026-03-10T20:16:41.373", "references": [{"source": "product-cna@github.com", "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.15"}, {"source": "product-cna@github.com", "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.12"}, {"source": "product-cna@github.com", "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.6"}, {"source": "product-cna@github.com", "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.3"}], "sourceIdentifier": "product-cna@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "product-cna@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.16.0,3.16.14]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.17.0,3.17.11]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.18.0,3.18.5]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.19.0,3.19.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Enterprise Server", "source": "cna", "vendor": "GitHub"}, "product": "enterprise_server", "vendor": "github"}], "created": "2026-03-11T11:43:30.448506+00:00", "updated": "2026-03-11T11:43:30.448586+00:00", "vendors": ["github", "github$PRODUCT$enterprise_server"]}