Skip to main content

GitHub Enterprise Server CVE-2026-9312

| EUVDEUVD-2026-32027 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-27 GitHub_P GHSA-fwfp-h68w-2hcr
9.2
CVSS 4.0 · Vendor: GitHub_P
Share

Severity by source

Vendor (GitHub_P) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (GitHub_P) · only source for this CVE.

CVSS VectorVendor: GitHub_P

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 27, 2026 - 19:46 EUVD
Analysis Generated
May 27, 2026 - 00:27 vuln.today
CVSS changed
May 27, 2026 - 00:22 NVD
9.2 (CRITICAL)
CVE Published
May 27, 2026 - 00:02 nvd
CRITICAL 9.2

DescriptionCVE.org

A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1. This vulnerability was reported via the GitHub Bug Bounty program.

AnalysisAI

Server-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issuing crafted requests to internal services, reachable through an upload endpoint that fails to validate input. By injecting path-traversal content into request parameters, an attacker can redirect internal API calls to reach back-end services and harvest sensitive credentials. No public exploit identified at time of analysis; the issue was reported through the GitHub Bug Bounty program and carries a CVSS 4.0 base score of 9.2 (Critical), though the vector flags high attack complexity and an extra attack requirement that temper real-world ease of exploitation.

Technical ContextAI

GitHub Enterprise Server is the self-hosted, on-premises distribution of GitHub used by organizations to run private code, CI, and collaboration on their own infrastructure (CPE cpe:2.3:a:github:enterprise_server). The root-cause class is CWE-918 (Server-Side Request Forgery): an upload endpoint accepts attacker-controlled values that are used to construct the destination of a server-initiated request without adequate validation. The vendor and tags indicate the SSRF is reached specifically via path traversal (e.g., '../' style sequences) embedded in request parameters, which lets the attacker break out of the intended request flow and steer internal API calls. Because the request originates from the appliance itself, it can reach internal-only services and metadata/credential endpoints that are not exposed to the public network - the classic SSRF pivot into a trusted internal perimeter.

RemediationAI

Upgrade GitHub Enterprise Server to a fixed release on your current line: Vendor-released patches are 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1 - apply the patch matching your deployed series (release notes at https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.20 and the equivalent 3.17/3.18/3.19/3.20/3.21 pages). If an immediate upgrade is not possible, reduce exposure with compensating controls: restrict network access to the GHES management/web endpoints to trusted networks or a VPN so the unauthenticated upload endpoint is not reachable from untrusted clients (trade-off: may break external integrations and remote contributor access), and place egress filtering on the appliance so it cannot initiate requests to sensitive internal hosts, metadata services, or credential stores (trade-off: can disrupt legitimate outbound integrations such as webhooks, package proxies, and external auth). Monitor appliance and reverse-proxy logs for anomalous upload requests containing path-traversal sequences and unexpected internal-bound requests. These mitigations narrow the attack surface but do not replace the patch.

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-0200 CRITICAL POC
9.8 Jan 16

An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. R

CVE-2024-9487 CRITICAL POC
9.5 Oct 10

An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowe

CVE-2024-4985 CRITICAL
10.0 May 20

An authentication bypass vulnerability was present in the GitHub Enterprise Server (GHES) when utilizing SAML single sig

CVE-2017-7420 CRITICAL
9.8 Aug 21

An Authentication Bypass (CWE-287) vulnerability in ESMAC (aka Enterprise Server Monitor and Control) in Micro Focus Ent

CVE-2023-4501 CRITICAL
9.8 Sep 12

User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL

CVE-2022-46255 CRITICAL
9.8 Dec 14

An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHub Enterprise Server

CVE-2021-22869 CRITICAL
9.8 Sep 24

An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted

CVE-2024-6800 CRITICAL
9.5 Aug 20

An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SAML authentication wi

CVE-2024-1378 CRITICAL
9.1 Feb 13

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor rol

CVE-2024-1374 CRITICAL
9.1 Feb 13

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor rol

CVE-2024-1372 CRITICAL
9.1 Feb 13

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor rol

Share

CVE-2026-9312 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy