CVE-2026-7541
Analyzed Analyzed - Analysis Complete
Denial of Service in GitHub Enterprise Server

Publication date: 2026-05-07

Last updated on: 2026-05-11

Assigner: GitHub, Inc. (Products Only)

Description
A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-7541
EUVD
EUVD-2026-28462
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
github enterprise_server From 3.20.0 (inc) to 3.20.2 (exc)
github enterprise_server to 3.16.18 (exc)
github enterprise_server From 3.17.0 (inc) to 3.17.15 (exc)
github enterprise_server From 3.18.0 (inc) to 3.18.9 (exc)
github enterprise_server From 3.19.0 (inc) to 3.19.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a denial of service issue in GitHub Enterprise Server. It allows an unauthenticated attacker to disrupt the service by sending specially crafted requests containing deeply nested JSON payloads to an unauthenticated API endpoint.

The affected endpoint processes user-controlled JSON request bodies without any limits on size or nesting depth, which leads to excessive CPU and memory usage, causing the service to become unavailable.

This issue affects all versions of GitHub Enterprise Server before version 3.21 and was fixed in several patch releases including 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18.

Impact Analysis

The primary impact of this vulnerability is a denial of service condition, where an attacker can cause the GitHub Enterprise Server to become unresponsive or crash by exhausting its CPU and memory resources.

Since the attack can be performed without authentication, it poses a risk of service disruption to all users relying on the affected server, potentially halting development workflows and access to repositories.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade GitHub Enterprise Server to one of the fixed versions: 3.20.2, 3.19.6, 3.18.9, 3.17.15, or 3.16.18.

This will prevent unauthenticated attackers from causing service disruption by sending crafted requests with deeply nested JSON payloads to the vulnerable API endpoint.

Compliance Impact

The provided information does not specify how this denial of service vulnerability in GitHub Enterprise Server impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7541. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart