CVE-2026-9106
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk24th percentile — higher than 24% of all known CVEs
Summary
A UI misrepresentation vulnerability in GitHub Enterprise Server allowed an OAuth application to gain unintended access to an organization's runner management. The issue occurred because the manage_runners:org scope was not displayed on the authorization consent screen, enabling an attacker to trick a user into authorizing a malicious app.
Risk Assessment
The organization risks unauthorized access to CI/CD runners, potentially leading to compromised build processes and deployment of malicious code into production.
Recommendation
Immediately upgrade GitHub Enterprise Server to version 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, or 3.16.20 depending on your release line.
Original NVD description (English source)
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.

