Full Report
GitHub security advisory (AV26-146)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in GitHub Enterprise Server (GHES)
## CVE Details
- **CVE ID:** Specific CVE identifiers are not explicitly listed in the Canadian Centre for Cyber Security summary, but the advisory refers to a collection of fixes addressed in the February 2026 release cycle.
- **CVSS Score:** N/A (Severity levels for GHES releases typically range from Medium to Critical)
- **CWE:** Not specified in the summary.
## Affected Systems
- **Products:** GitHub Enterprise Server (GHES)
- **Versions:**
- 3.19.x prior to 3.19.2
- 3.18.x prior to 3.18.5
- 3.17.x prior to 3.17.11
- 3.16.x prior to 3.16.14
- 3.15.x prior to 3.15.18
- 3.14.x prior to 3.14.23
- **Configurations:** Standalone and High Availability configurations of the on-premises Enterprise Server.
## Vulnerability Description
While the specific technical flaw (e.g., Injection, Auth Bypass, or RCE) is not detailed in the CCCS bulletin, GitHub Enterprise Server updates frequently address vulnerabilities related to management console security, API rate limiting, or permission escalations within the internal instance environment. This specific advisory (AV26-146) highlights a coordinated maintenance release across all currently supported versions to patch security regressions or newly discovered flaws.
## Exploitation
- **Status:** Not explicitly reported as exploited in the wild.
- **Complexity:** Dependent on specific CVE (typically Medium).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** Potential for unauthorized data access.
- **Integrity:** Potential for modification of repository metadata or settings.
- **Availability:** Potential for service disruption depending on the specific flaw.
## Remediation
### Patches
GitHub has released the following patched versions. Administrators should upgrade to the relevant branch immediately:
- GHES 3.19.2
- GHES 3.18.5
- GHES 3.17.11
- GHES 3.16.14
- GHES 3.15.18
- GHES 3.14.23
### Workarounds
No specific workarounds are provided. Patching is the recommended and primary course of action.
## Detection
- **Indicators of Compromise:** Monitor GHES audit logs for unusual administrative activity or unauthorized access to the Management Console (port 8443).
- **Detection Methods:** Vulnerability scanners should check the version manifest of the GHES instance against the patched versions listed above.
## References
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/github-security-advisory-av26-146
- **GitHub Release Notes (3.19):** hxxps[://]docs[.]github[.]com/en/[email protected]/admin/release-notes
- **GitHub Release Notes (3.18):** hxxps[://]docs[.]github[.]com/en/[email protected]/admin/release-notes
- **GitHub Release Notes (3.17):** hxxps[://]docs[.]github[.]com/en/[email protected]/admin/release-notes
- **GitHub Release Notes (3.16):** hxxps[://]docs[.]github[.]com/en/[email protected]/admin/release-notes
- **GitHub Release Notes (3.15):** hxxps[://]docs[.]github[.]com/en/[email protected]/admin/release-notes
- **GitHub Release Notes (3.14):** hxxps[://]docs[.]github[.]com/en/[email protected]/admin/release-notes