Description
A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program.
Published: 2026-05-07
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A denial of service was discovered in GitHub Enterprise Server that permits an unauthenticated attacker to send crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parses user-controlled JSON without imposing limits on size or depth, which can cause excessive CPU and memory consumption and bring the service to a halt. The vulnerability is a classic example of uncontrolled resource consumption (CWE‑770).

Affected Systems

The flaw affects all GitHub Enterprise Server releases prior to 3.21. It has been fixed in the release sequence 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18, covering versions 3.16, 3.17, 3.18, 3.19, and 3.20.

Risk and Exploitability

With a CVSS score of 6.3 the risk is elevated, though the EPSS score is not provided so the current exploit probability is unclear. The vulnerability is not listed in CISA’s KEV catalog, but any exposed GitHub Enterprise Server that has not been updated remains susceptible. Attackers can trigger the path simply by sending specially crafted JSON to the public API without authentication, so the threat is readily exploitable if the server is reachable. The impact is service disruption, which can lead to loss of availability for all users of the platform.

Generated by OpenCVE AI on May 7, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GitHub Enterprise Server to any of the patched releases (3.20.2, 3.19.6, 3.18.9, 3.17.15, or 3.16.18).
  • Restart the GitHub Enterprise Server services to ensure the patched code is active.
  • If service availability must be preserved during upgrade, consider placing the server behind an API gateway or firewall that limits request depth or rate, or monitor for abnormal CPU usage and temporarily block offending endpoints.

Generated by OpenCVE AI on May 7, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github enterprise Server
Vendors & Products Github
Github enterprise Server

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program.
Title Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via unauthenticated API endpoint
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U'}

Subscriptions

Github Enterprise Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2026-05-07T21:18:35.655Z

Reserved: 2026-04-30T18:42:48.142Z

Link: CVE-2026-7541

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T22:16:36.917

Modified: 2026-05-07T22:16:36.917

Link: CVE-2026-7541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T23:00:09Z

Weaknesses