|
| 1 | +date: '2026-04-21' |
| 2 | +sections: |
| 3 | + security_fixes: |
| 4 | + - | |
| 5 | + **HIGH**: An attacker could gain unauthorized access to private repositories by abusing scoped user-to-server (`ghu_`) tokens after their associated GitHub App installation was revoked or deleted. In certain cases, the authorization layer could incorrectly fall back to a global installation context instead of rejecting the request, allowing the token to access resources outside its intended installation or repository scope. This issue could be chained with weaknesses in token revocation timing and SSH push attribution to obtain a victim-scoped token and read private repository contents without victim interaction. GitHub has requested CVE ID [CVE-2026-5845](https://www.cve.org/cverecord?id=CVE-2026-5845) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). |
| 6 | + - | |
| 7 | + **HIGH**: An attacker could extract sensitive environment variables from a GitHub Enterprise Server instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated Server-Side Request Forgery (SSRF) to internal services. By measuring response time differences, an attacker could infer secret values character by character. GitHub has requested CVE ID [CVE-2026-5921](https://www.cve.org/cverecord?id=CVE-2026-5921) for this vulnerability, which was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program. |
| 8 | + - | |
| 9 | + **HIGH**: A Management Console administrator could inject shell metacharacters into configuration fields via the Management Console configuration API, leading to arbitrary command execution on the appliance as the admin OS user. GitHub has requested CVE ID [CVE-2026-4821](https://www.cve.org/cverecord?id=CVE-2026-4821) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). |
| 10 | + - | |
| 11 | + **HIGH**: An attacker with knowledge of a target application's registered OAuth callback URL could gain unauthorized access to user accounts by exploiting incorrect regular expression matching in callback URL validation. GitHub has requested CVE ID [CVE-2026-4296](https://www.cve.org/cverecord?id=CVE-2026-4296) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). |
| 12 | + - | |
| 13 | + **MEDIUM**: An attacker with permission to manage secret scanning push protection settings in one repository could add or remove delegated bypass reviewers in a different repository by exploiting an incorrect authorization check in the `/settings/security_analysis/bypass_reviewers` endpoints. Authorization was checked against the repository in the URL route, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers. GitHub has requested CVE ID [CVE-2026-3307](https://www.cve.org/cverecord?id=CVE-2026-3307) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). |
| 14 | + - | |
| 15 | + **MEDIUM**: An authenticated attacker could determine the names of private repositories by their numeric ID through the mobile upload policy API endpoint, which returned repository names in validation error messages without verifying the caller's access. GitHub has requested [CVE ID CVE-2026-5512](https://www.cve.org/cverecord?id=CVE-2026-5512) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). |
| 16 | + - | |
| 17 | + **LOW**: GitHub Enterprise Server included React versions 19.0, 19.1, and 19.2 in its package, which contain vulnerabilities in the React Server Components protocol (CVE-2025-55182, CVE-2025-66478). GitHub Enterprise Server does not use React Server Components and was not vulnerable to exploitation. React has been updated to version 19.2.3 to address findings from security scanning tools. |
| 18 | + bugs: |
| 19 | + - | |
| 20 | + On an instance with GitHub Actions enabled, diagnostic log files for storage connectivity checks did not persist to disk when site administrators clicked **Test storage settings** in the Management Console or ran `ghe-config-apply` to apply configuration changes. This made storage connection failures difficult to troubleshoot because logs were unavailable in support bundles. |
| 21 | + - | |
| 22 | + When Consul replication failed to start, a misleading error message `exit: check_consul_replication: numeric argument required` was emitted to `ghe-config.log`. |
| 23 | + - | |
| 24 | + Consul replication would sometimes fail to start and would repeatedly display an error message `WARNING: Consul KV Replication Error` before terminating. |
| 25 | + - | |
| 26 | + On instances with Dependabot enabled, hotpatch upgrades could lock the Nomad jobs queue. |
| 27 | + - | |
| 28 | + On instances connected to GitHub Enterprise Cloud with data residency, the "GitHub.com actions" setting appeared in the GitHub Connect configuration despite this feature not being available for data residency deployments. |
| 29 | + - | |
| 30 | + The site admin bar displayed debugging information used by GitHub. |
| 31 | + - | |
| 32 | + Suspended users were listed in an organization's list of members. |
| 33 | + - | |
| 34 | + On an instance with busy databases, online schema migrations using gh-ost failed because the cut-over lock timeout defaulted to 3 seconds, which was insufficient to acquire an exclusive table lock under continuous traffic. |
| 35 | + changes: |
| 36 | + - | |
| 37 | + Administrators can now set `mysql.innodb-online-alter-log-max-size` with `ghe-config` so the value persists when a configuration is applied or upgraded. |
| 38 | + known_issues: |
| 39 | + - | |
| 40 | + First time setups of GitHub Actions with OpenID Connect (OIDC) fail with an error on the `Update Servicing Resources` step. This problem does not affect instances where GitHub Actions is already enabled. |
| 41 | +
|
| 42 | + As a workaround, you can enable Actions without OIDC, then enable OIDC **immediately** once the process completes. You should do this immediately because enabling OIDC will remove all access to existing Actions logs and artifacts. |
| 43 | + - | |
| 44 | + During an upgrade of GitHub Enterprise Server, custom firewall rules are removed. If you use custom firewall rules, you must reapply them after upgrading. |
| 45 | + - | |
| 46 | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. |
| 47 | + - | |
| 48 | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [Troubleshooting access to the Management Console](/admin/administering-your-instance/administering-your-instance-from-the-web-ui/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account). |
| 49 | + - | |
| 50 | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. |
| 51 | + - | |
| 52 | + {% data reusables.release-notes.large-adoc-files-issue %} |
| 53 | + - | |
| 54 | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. |
| 55 | + - | |
| 56 | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. |
| 57 | + - | |
| 58 | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. |
| 59 | + - | |
| 60 | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} |
| 61 | + - | |
| 62 | + When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. |
| 63 | + - | |
| 64 | + An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning. |
| 65 | + - | |
| 66 | + In the header bar displayed to site administrators, some icons are not available. |
| 67 | + - | |
| 68 | + When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded. |
| 69 | + - | |
| 70 | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. |
| 71 | + - | |
| 72 | + When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration. |
| 73 | + - | |
| 74 | + Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories. |
| 75 | + - | |
| 76 | + After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance. |
| 77 | + - | |
| 78 | + After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows. |
| 79 | + - | |
| 80 | + Unexpected elements may appear in the UI on the repo overview page for locked repositories. |
| 81 | + - | |
| 82 | + GitHub Enterprise Server releases shipped with mismatched Git versions between containers. |
![release-controller[bot]](https://avatars.githubusercontent.com/in/223695?v=4&size=40){kind=avatar}
0 commit comments