CVE-2026-9132
Missing authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository contents via the Copilot pull request diff summary endpoint
Description
A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The Copilot pull request description diff summary endpoint accepted a cross-repository comparison range and rendered the resulting diff without verifying that the requesting user was authorized to view the target repository. Exploitation required an authenticated account on the instance with read access to at least one repository to use as the comparison base. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. This vulnerability was reported via the GitHub Bug Bounty program.
INFO
Published Date :
June 30, 2026, 8:23 p.m.
Last Modified :
June 30, 2026, 8:23 p.m.
Remotely Exploit :
Yes !
Source :
GitHub_P
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 4.0 | MEDIUM | 82327ea3-741d-41e4-88f8-2cf9e791e760 |
Solution
- Update to version 3.17.17 or later.
- Update to version 3.18.11 or later.
- Update to version 3.19.8 or later.
- Update to version 3.20.4 or later.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-9132 vulnerability anywhere in the article.