@Cache-Money discovered that repository administrators could change a repository’s visibility settings even after the organization owner had explicitly disabled it with the “Allow members to change repository visibilities for this organization” setting. Although the action appeared to be disallowed in the browser, a missing authorization check on the server allowed malicious administrators to change the visibility setting by making a direct request to the repository visibility endpoint. We addressed this vulnerability by implementing a systematic fix which requires all visibility modifications to pass through a single authorization check rather than individually applying an authorization check on each endpoint.