Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-6981

An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3

Published

2025-07-15T21:15:34.630

Last Modified

2025-08-27T14:41:04.110

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-863

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	github	enterprise_server	< 3.14.5	Yes
Application	github	enterprise_server	< 3.15.10	Yes
Application	github	enterprise_server	< 3.16.6	Yes
Application	github	enterprise_server	< 3.17.3	Yes

References

https://docs.github.com/en/[email protected]/admin/release-notes#3.14.15 Release Notes ([email protected])
https://docs.github.com/en/[email protected]/admin/release-notes#3.15.10 Release Notes ([email protected])
https://docs.github.com/en/[email protected]/admin/release-notes#3.16.6 Release Notes ([email protected])
https://docs.github.com/en/[email protected]/admin/release-notes#3.17.3 Release Notes ([email protected])