Mintlify Platform GitHub Integration API Repository Metadata Exposure Vulnerability

A vulnerability in the GitHub Integration API of the Mintlify Platform, affecting versions prior to November 15, 2025, allows remote attackers to access sensitive repository metadata. The issue arises because the API does not validate that the repository owner and name fields provided during configuration are associated with the specific GitHub App Installation ID of the user's organization. This lack of validation could be exploited to retrieve commit details from unauthorized repositories.

Impact

Exploitation of this vulnerability could lead to unauthorized access to repository metadata, including commit details such as messages, hashes, filenames, and files changed.

Reproduction

To reproduce this vulnerability, send a request to the GitHub Integration API's repository configuration endpoint. Include a repository owner and name that do not belong to the GitHub App Installation ID associated with the user's organization. The API will respond with metadata from the specified repository, bypassing authorization checks.

Remediation

Users are advised to ensure that their GitHub repository configurations are validated against the correct GitHub App Installation ID. Mintlify has implemented a check to verify that the specified repository is accessible by the GitHub App installation linked to the user's Mintlify account.