Cross-repository IDOR in `/settings/security_analysis/bypass_reviewers` allows unauthorized delegated bypass reviewer modification

Bug reported by ahacker1 was disclosed at May 19, 2026, 12:49 am   |   Insecure Direct Object Reference (IDOR)

A vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The vulnerability was limited to assigning existing trusted users as bypass reviewers and did not allow adding arbitrary external users. The vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. The vulnerability was reported via the GitHub Bug Bounty program.

Unauthenticated File Upload to CDN

Bug reported by Walleson Moura was disclosed at May 18, 2026, 7:52 am   |   Improper Access Control - Generic

An unauthenticated file upload vulnerability was discovered in the NFT.io platform. The vulnerability allowed an unauthenticated user to upload files to the platform's content delivery network. The issue was reported and promptly fixed by the Enjin team, despite the low-impact nature of the vulnerability.

IDOR: autotranslate.translateMessage Full Message Content Leak

Bug reported by Josan was disclosed at May 18, 2026, 12:37 am   |   Insecure Direct Object Reference (IDOR)

The `/api/v1/autotranslate.translateMessage` endpoint allowed any authenticated user to retrieve the full content of any message from any room, including private groups, direct messages, and channels. The endpoint fetched the message without performing a room access check, returning the complete message object including the message text, sender information, room ID, timestamps, and markdown content.