CVE-2026-1999

UNKNOWN 0.0

Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized merging of pull requests

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

9th

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests. This issue only affected repositories that allow forking as the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible in specific scenarios. It required a clean pull request status and only applied to branches without branch protection rules enabled. This vulnerability affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in versions 3.19.2, 3.18.5, and 3.17.11. This vulnerability was reported via the GitHub Bug Bounty program.

CWE	CWE-863
Vendor	github
Product	enterprise server
Ecosystems	DevTools
Industries	Technology
Published	Feb 18, 2026
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for github enterprise server

Be the first to know when new unknown vulnerabilities affecting github enterprise server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

GitHub / Enterprise Server

3.17.0 < 3.17.11 3.18.0 < 3.18.5 3.19.0 < 3.19.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

docs.github.com: https://docs.github.com/en/[email protected]/admin/release-notes#3.17.11 docs.github.com: https://docs.github.com/en/[email protected]/admin/release-notes#3.18.5 docs.github.com: https://docs.github.com/en/[email protected]/admin/release-notes#3.19.2

Credits

ahacker1