Description
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Management Console administrator to execute arbitrary OS commands via shell metacharacter injection in proxy configuration fields such as http_proxy. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and administrator privileges to the Management Console. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
Published: 2026-04-21
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An improper neutralization of special elements vulnerability allows an authenticated Management Console administrator to inject shell metacharacters into proxy configuration fields, such as the http_proxy setting, and execute arbitrary operating‑system commands. This results in full control of the server, compromising confidentiality, integrity, and availability of the entire GitHub Enterprise Server instance.

Affected Systems

GitHub Enterprise Server versions prior to 3.21 are affected. The issue was addressed in releases 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21 and 3.14.26, and the vulnerability is present in all earlier releases.

Risk and Exploitability

The CVSS score of 8.1 reflects a high‑severity flaw. EPSS data is unavailable, but the vulnerability is not listed in CISA's KEV catalog, indicating no known widespread exploitation yet. Successful exploitation requires authenticated, privileged access to the GitHub Enterprise Server Management Console, meaning the attack surface is limited to administrators or compromised admin credentials. Even so, the impact of a successful attack is critical, providing full remote code execution on the server.

Generated by OpenCVE AI on April 22, 2026 at 06:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch by upgrading to GitHub Enterprise Server 3.20.1 or newer, ensuring all earlier vulnerable releases are removed.
  • Validate proxy configuration values to accept only well‑formed URLs and reject any shell metacharacters.
  • Restrict Management Console administrator privileges to a minimal trusted group and regularly monitor for unauthorized configuration changes.

Generated by OpenCVE AI on April 22, 2026 at 06:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github enterprise Server
Vendors & Products Github
Github enterprise Server

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Management Console administrator to execute arbitrary OS commands via shell metacharacter injection in proxy configuration fields such as http_proxy. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and administrator privileges to the Management Console. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
Title Proxy configuration command injection vulnerability found in GitHub Enterprise Server Management Console configuration API
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Github Enterprise Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2026-04-22T13:17:26.288Z

Reserved: 2026-03-25T13:55:26.048Z

Link: CVE-2026-4821

cve-icon Vulnrichment

Updated: 2026-04-22T13:17:21.381Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T23:16:22.037

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-4821

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:30:10Z

Weaknesses