On September 15, 2022, we fixed a bug on GitHub.com that allowed OAuth tokens (such as personal access tokens) to bypass SAML single sign-on (SSO) requirements to view organization issue data using the /issues GitHub API endpoint.

The SAML SSO bypass could only happen when the token owner was a member of a SAML SSO protected organization, had the necessary permissions to view the issue data, and was using an OAuth token that was not authorized for use with SAML SSO. Integrations using an OAuth token matching the above criteria would also bypass SAML SSO requirements when making requests to the /issues API endpoint.

The accessible data included the title, body, labels, and assignee of the issue, but did not include comments on the issue itself. The bug did not allow organization members to view repository, issue, or other organization data that they did not have permission to view.