Description
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1. This vulnerability was reported via the GitHub Bug Bounty program.
Published: 2026-05-27
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A server‑side request forgery flaw exists in the upload endpoint of GitHub Enterprise Server. By inserting path‑traversal characters into request parameters, an attacker can cause the server to perform internal HTTP requests, bypassing the intended audience and exposing internal services and potentially sensitive credentials. The vulnerability is active for unauthenticated users and therefore allows attackers to reach protected resources without needing valid credentials.

Affected Systems

GitHub Enterprise Server versions prior to 3.22 are affected. The fix was released in 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1; any deployment running an older version must be upgraded to 3.22 or later.

Risk and Exploitability

The CVSS score of 9.2 indicates high severity, and the absence of an EPSS value means no historical exploit information is available. The vulnerability is listed as not part of the CISA KEV catalog. Attackers can exploit the flaw by crafting HTTP requests to the public upload API endpoint, using path‑traversal to direct the server to reach internal URLs. Because authentication is not required, the risk persists for all exposed instances until patched.

Generated by OpenCVE AI on May 27, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest GitHub Enterprise Server update, version 3.22 or newer, which incorporates the SSRF mitigation.
  • Restrict access to the upload endpoint so that only authorized users can invoke it, enforcing least‑privilege access controls.
  • Implement firewall or routing rules to block outbound traffic from the GitHub Enterprise Server to internal IP ranges that are not part of the supported deployment, reducing the ability of an attacker to reach protected services.

Generated by OpenCVE AI on May 27, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
cpe:2.3:a:github:enterprise_server:3.21.1:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github enterprise Server
Vendors & Products Github
Github enterprise Server

Wed, 27 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1. This vulnerability was reported via the GitHub Bug Bounty program.
Title Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Github Enterprise Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2026-05-28T03:55:48.115Z

Reserved: 2026-05-22T18:42:28.097Z

Link: CVE-2026-9312

cve-icon Vulnrichment

Updated: 2026-05-27T13:49:41.800Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T00:16:39.020

Modified: 2026-06-02T18:31:15.540

Link: CVE-2026-9312

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T02:00:11Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)