Users Without Roles/Member Roles Can Create Private Repositories And Secret Teams In Github Organizations Even Though The Feature Is Disabled

Description

If in the github organization the owner activates the features “Members will be able to create private repositories, visible to organization members with permission.” and “Allow members to create teams”, this allows the member role to create both of these things. But when both of these features are disabled, the member role will not be able to do this because the feature itself does not exist. But with this bug, users without a role/member role can still create these 2 things.

Impact

1. Users without a role/member role can create private repositories in an organization even if the owner disables the feature “Members will be able to create private repositories, visible to organization members with permission.”.
2. Users without a role/member role can create secret teams in an organization even if the owner disables the feature “Allow members to create teams”.
3. Users without a role can escalate themselves to a member in an organization without the owner’s knowledge.

Reproduction Steps

Steps for member roles

Users

• User A (victim)
• User B (attacker)

Steps

1. From User A create a new organization (or use an existing one) > then invite User B to your organization.
2. From User B accept the invitation.
3. From User A turn off the above 2 features in organization settings.
4. From User B go to the “Repositories” and “Teams” tabs > you won’t be able to create private repositories and teams because the feature just doesn’t exist.
5. From User A go to classroom.github.com > create a classroom > create a group assignment > then send an invitation link to User B.
6. From User B open the invitation link > fill in the “Create team” field > then “Accept this assignment”.
7. From User A go to your organization > you will see the private repository and secret team successfully created by User B.

Steps for users without roles

• The steps are the same as above but this time the impact is that users without roles can escalate themselves to members in the organization.

Timeline

March 14, 2025 : Submit report via HackerOne
March 15, 2025 : hubot posted a comment.

March 19, 2025 : hubot closed the report and changed the status to Informative.