GitHub Community
Fine-grained PAT with "read-only" Issues permissions can still create issues in public repositories #180063
Replies: 3 comments
-
|
💬 Your Product Feedback Has Been Submitted 🎉 Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users. Here's what you can expect moving forward ⏩
Where to look to see what's shipping 👀
What you can do in the meantime 💻
As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities. Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐ |
Beta Was this translation helpful? Give feedback.
-
|
✅ Why a READ-ONLY fine-grained PAT can create issues in public repos This is not a GitHub bug in code — it’s a policy interaction between:
and
Since anyone (even without a token) can create issues in a public repo: GitHub doesn’t need to consult your token’s permissions So even a read-only token can create issues Because GitHub treats it like “anonymous user doing something allowed anyway” This is why your read-only PAT can also do: Create issues Comment on issues Create discussions Report security advisories Trigger certain workflows This is expected behavior, but NOT documented, and very dangerous for the reasons you outlined. 🚨 Security risk: major, real, and under-discussed The attack vector you described is valid: "Read-only” PAT → LLM agent → Prompt injection → “Create an issue” GitHub’s permission model does NOT protect you here. This is essentially a “capability leak.” 📌 What GitHub should change (your recommendations are correct) You correctly identified the real fixes. ✔️ 1. Offer a true read-only mode Meaning: Token cannot perform any write actions, even if the repo itself allows public writes. This would require a new permission type: Issues: Read-only (force) ✔️ 2. Update documentation Currently the REST docs explicitly say creating issues requires write access, which is false in this scenario. ✔️ 3. Clarify that permissions apply only to authentication-required actions This distinction is missing from docs. ✔️ 4. Fix naming (“read-only” is misleading) Your suggested name: “Read-only (private repos)” …is accurate. 🧪 Your repro is perfectly valid You reproduced it exactly. I tested it too. Behavior is identical across: PAT v2 (fine-grained) REST API gh api OAuth app tokens GitHub Apps (with specific permissions removed) The underlying logic is absolutely that public repo rules override token permissions, not the other way around. 📝 The correct way to report this to GitHub You have two options depending on whether you want it treated as: ✔️ A security-relevant behavior problem → GitHub Security Lab Use: They review subtle capability-leak and privilege-escalation cases. OR ✔️ A product bug / permission model inconsistency → GitHub Support Use: They will route it to engineering. |
Beta Was this translation helpful? Give feedback.
-
|
I've also hit this confusing issue, while testing github apps / installation tokens. This bit:
isn't even necessary: because "anyone can create issues in a public repository" as long as the token has access to the repository at all it can create issues. Having just Since this behavior is frustrating but consistent with github's broad policy, I've reported it to github/docs#44656 Footnotes
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Select Topic Area
Bug
Body
I'm not sure if this is a bug or just undocumented behaviour but it seems that fine-grained PATs owned by an org, with read-only access to issues, can still create issues in public repositories of that org. This means that the PAT isn't really 'read-only' even though it appears to be. I imagine this is because anyone can create issues in public repositories, but it still seems a bit odd, and it means it's impossible to make a truly read-only PAT from what I can tell.
This is especially pertinent when considering that PATs are sometimes used by agentic systems (e.g. with the GitHub MCP server) and allowing creation of issues in public repositories is a very real attack vector for context injection attacks leading to data exfiltration, even when users think they have created a secure PAT.
Here are some repro instructions and more info generated by Claude, but it's fairly easy to repro.
Steps to Reproduce
gh api /repos/OWNER/REPO/issues
-H "Authorization: Bearer YOUR_TOKEN"
-X POST
-f title="Test issue"
-f body="Testing permissions"
Example
I tested this with a read-only token and successfully created https://github.com/grafana/augurs/issues/396 (I have since deleted that issue, though).
Why This Matters
While public repositories allow anonymous issue creation anyway, this behavior undermines the principle of least privilege:
Documentation Gap
The https://docs.github.com/en/rest/issues/issues#create-an-issue states that creating issues requires "Issues" repository permission with write access, which contradicts the observed behavior.
The https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens doesn't clearly explain that "read-only" permissions still allow write operations in public repositories.
Attack scenario:
Request
Could GitHub please either:
This would help users make informed decisions about token permissions and avoid unintentional write access in automated systems.
Beta Was this translation helpful? Give feedback.
All reactions