Missing Access Control in MigrationFile allows attacker to upload files to any Migration

Bug reported by ahacker1 was disclosed at March 5, 2026, 2:23 am   |   Insecure Direct Object Reference (IDOR)

A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized content to be uploaded to a user's repository migration export due to a missing authorization check in the repository migration upload endpoint. The vulnerability could be exploited by supplying the migration identifier to overwrite or replace a victim's migration archive.