@not-an-aardvark identified that when accessing Gists via Git using an OAuth or Personal Access Token, the provided token’s scope was not properly checked. This could have allowed an authorized OAuth application or Personal Access Token with minimal scopes to modify Gists. This vulnerability would not expose the URL of private Gists and did not affect code repositories on GitHub.com.

We addressed this issue by properly validating a token’s scope when Git operations are performed.