High
resolved
resolved
Missing Access Control in MigrationFile allows attacker to upload files to any Migration
Bug reported by ahacker1 was disclosed at March 5, 2026, 2:23 am | Insecure Direct Object Reference (IDOR)
A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized content to be uploaded to a user's repository migration export due to a missing authorization check in the repository migration upload endpoint. The vulnerability could be exploited by supplying the migration identifier to overwrite or replace a victim's migration archive.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
