CVE-2025-6981

Description

An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3

PUBLISHED Reserved 2025-07-01 | Published 2025-07-15 | Updated 2025-07-16 | Assigner GitHub_P

Problem types

CWE-863 Incorrect Authorization

Product status

References

docs.github.com/...nterprise-server@3.14/admin/release-notes release-notes

docs.github.com/...nterprise-server@3.15/admin/release-notes release-notes

docs.github.com/...nterprise-server@3.16/admin/release-notes release-notes

docs.github.com/...nterprise-server@3.17/admin/release-notes release-notes

cve.org (CVE-2025-6981)

nvd.nist.gov (CVE-2025-6981)

Download JSON