GitHub addressed a critical authentication bypass vulnerability (CVE-2024-4985) in the GitHub Enterprise Server (GHES) that could allow an attacker to forge SAML responses and gain administrative privileges without prior authentication. The vulnerability, which had a CVSS score of 10.0, affected GHES installations using SAML single sign-on with encrypted assertions. It was fixed in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4, and only impacted installations that enabled the optional encrypted assertions feature, which is not enabled by default. The issue was reported through GitHub’s Bug Bounty program.