CVE-2025-6981
MEDIUMGitHub Enterprise Server < 3.14.5 - Unauthorized Internal Repository Read Access via Contractors API
Title source: llmDescription
An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3
References (4)
Core 4
Core References
Release Notes release-notes
https://docs.github.com/en/[email protected]/admin/release-notes#3.14.15
Release Notes release-notes
https://docs.github.com/en/[email protected]/admin/release-notes#3.15.10
Release Notes release-notes
https://docs.github.com/en/[email protected]/admin/release-notes#3.16.6
Release Notes release-notes
https://docs.github.com/en/[email protected]/admin/release-notes#3.17.3
Scores
CVSS v3
4.3
EPSS
0.0025
EPSS Percentile
16.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (1)
github/enterprise_server
< 3.14.5
Published
Jul 15, 2025
Tracked Since
Feb 18, 2026