Primary

Context

GitHub Enterprise Server Authentication Bypass Vulnerability Allowing Unauthenticated User Account Creation

Vulnerability

Patched

A vulnerability in GitHub Enterprise Server (GHES) was identified that allows an unauthenticated attacker to create a local user account on an instance configured with an external authentication provider. This bypasses the identity provider validation, as the signup endpoint failed to properly enforce authentication restrictions. The created account is assigned default base permissions. Exploitation requires network access to the GHES instance with external authentication enabled.

Impact

Exploitation of this vulnerability allows for unauthorized account creation, bypassing external authentication providers, and could lead to unauthorized access to repositories, depending on the permissions assigned to the created account.

Remediation

Users can upgrade to GitHub Enterprise Server versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, or 3.16.18.

Added: May 7, 2026, 10:38 PM

Updated: May 7, 2026, 10:38 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

1.3

exploitability

6.6

remediation

8.3

relevance

7.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

1.3

exploitability

6.6

remediation

8.3

relevance

7.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GitHub Enterprise Server Authentication Bypass Vulnerability Allowing Unauthenticated User Account Creation

Vulnerability

Impact

Remediation

Affected Products

GitHub Enterprise Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating