@Cache-Money discovered that a member or collaborator with administrative permissions to a repository within an organization could elevate their privileges to that of an owner within the organization using GitHub Apps. GitHub allowed repository administrators to install a GitHub App on an organization’s repository for which they had permissions. However, if a GitHub App installed by a repository administrator was configured with organization member management permissions, it could be used to add an owner to the organization or modify existing roles. We addressed the vulnerability by restricting GitHub App installations to organization owners. We also verified this vulnerability had not been exploited. This vulnerability did not affect GitHub Enterprise.