QwikSec

Security Database

CVE

CWE

Training

CVE-2025-6981

Published: Jul 15, 2025

Modified: Jul 16, 2025

PUBLISHED

Description

An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3

Vendor	Product	Versions
GitHub	Enterprise Server	affected `3.14.0 - < 3.14.15` affected `3.15.0 - < 3.15.10` affected `3.16.0 - < 3.16.6` affected `3.17.0 - < 3.17.3`

Weaknesses (CWE)

References

https://docs.github.com/en/[email protected]/admin/release-notes#3.14.15

release-notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.15.10

release-notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.16.6

release-notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.17.3

release-notes

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.