CVE-2026-4821
Received Received - Intake
Shell Metacharacter Injection in GitHub Enterprise Server Proxy Configuration

Publication date: 2026-04-21

Last updated on: 2026-04-29

Assigner: GitHub, Inc. (Products Only)

Description
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Management Console administrator to execute arbitrary OS commands via shell metacharacter injection in proxy configuration fields such as http_proxy. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and administrator privileges to the Management Console. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4821
EUVD
EUVD-2026-24547
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
github enterprise_server to 3.14.26 (exc)
github enterprise_server From 3.15.0 (inc) to 3.15.21 (exc)
github enterprise_server From 3.16.0 (inc) to 3.16.17 (exc)
github enterprise_server From 3.17.0 (inc) to 3.17.14 (exc)
github enterprise_server From 3.18.0 (inc) to 3.18.8 (exc)
github enterprise_server From 3.19.0 (inc) to 3.19.5 (exc)
github enterprise_server 3.20.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an improper neutralization of special elements in GitHub Enterprise Server. It allows an authenticated Management Console administrator to execute arbitrary operating system commands by injecting shell metacharacters into proxy configuration fields such as http_proxy.

Exploitation requires both access to the GitHub Enterprise Server instance and administrator privileges to the Management Console.

The issue affects all versions of GitHub Enterprise Server prior to 3.21 and was fixed in several versions starting from 3.14.26 up to 3.20.1.


How can this vulnerability impact me? :

If exploited, this vulnerability allows an attacker with administrator access to execute arbitrary OS commands on the server hosting GitHub Enterprise Server.

This can lead to unauthorized control over the server, potentially compromising the confidentiality, integrity, and availability of the system and its data.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade your GitHub Enterprise Server to a fixed version. The vulnerability affects all versions prior to 3.21 and is fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26.

Additionally, restrict access to the Management Console to trusted administrators only, as exploitation requires administrator privileges.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart