Users Without Roles/Member Roles Can Create Private Repositories And Secret Teams In Github…
1 min read
Summary
A vulnerability in GitHub organisations allows users without specific roles to create private repositories and secret teams despite these features being disabled by the organisation owner.
The issue revolves around how invitations to collaborate are handled, specifically those originating from classroom.github.com, a service used to help educators manage student coding projects.
When a user accepts an invitation to collaborate on a private repository, they are given the option to create a team and, despite the feature being disabled for the organisation, this tickbox still appears.
Upon acceptance of the invitation, the user is assigned the organisation member role, meaning they have permissions to create private repositories and teams.
The issue extends only to users invited via a classroom.github.com invitation, however, this could be exploited as a vector to escalate permissions for unprivileged users to gain access to an organisation’s resources.
The report was submitted to GitHub via its HackerOne portal and closed as ‘Informative’ on March 19th, 2025.