Description
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.2. This vulnerability was reported via the GitHub Bug Bounty program.
Published: 2026-05-27
Score: 9.2 Critical
EPSS: 6.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A server‑side request forgery flaw exists in the upload endpoint of GitHub Enterprise Server, allowing an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation. By inserting path‑traversal characters into request parameters, an attacker can cause the server to perform internal HTTP requests, bypassing the intended audience and exposing internal services and potentially sensitive credentials. This weakness corresponds to CWE‑918. The vulnerability affected all versions prior to 3.22 and was fixed in 3.17.17, 3.18.11, 3.19.8, 3.20.4, vulnerability was reported via the GitHub Bug Bounty program. The flaw is active for unauthenticated users and therefore allows attackers to reach protected resources without needing valid credentials.

Affected Systems

GitHub Enterprise Server versions prior to 3.22 are affected. The fix was released in 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.2; any deployment running an older version must be upgraded to a patched release.

Risk and Exploitability

The CVSS score of 9.2 indicates high severity, while the EPSS score of 0.06605 (6.605%) indicates a moderate likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting HTTP requests to the public upload API endpoint, using path‑traversal to direct the server to reach internal URLs. Because authentication is not required, the risk persists for all exposed instances until patched.

Generated by OpenCVE AI on June 30, 2026 at 23:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest GitHub Enterprise Server patch (for example 3.21.2 or later) to eliminate the SSRF flaw in the upload endpoint (CWE‑918).
  • Enforce strict input validation and sandboxing at the upload endpoint to neutralize path‑traversal attempts, thereby mitigating the SSRF weakness referenced by CWE‑918.
  • Configure network segmentation or firewall rules to block outbound traffic from the GitHub Enterprise Server to internal IP ranges that are not part of approved deployments, reducing the impact of any SSRF exploitation.

Generated by OpenCVE AI on June 30, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1. This vulnerability was reported via the GitHub Bug Bounty program. A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.2. This vulnerability was reported via the GitHub Bug Bounty program.
References

Tue, 02 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
cpe:2.3:a:github:enterprise_server:3.21.1:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}


Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 27 May 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github enterprise Server
Vendors & Products Github
Github enterprise Server

Wed, 27 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1. This vulnerability was reported via the GitHub Bug Bounty program.
Title Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Github Enterprise Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2026-06-30T20:53:28.093Z

Reserved: 2026-05-22T18:42:28.097Z

Link: CVE-2026-9312

cve-icon Vulnrichment

Updated: 2026-05-27T13:49:41.800Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T00:16:39.020

Modified: 2026-06-17T11:05:03.080

Link: CVE-2026-9312

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T00:00:17Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)