CVE-2026-7541
Undergoing Analysis Undergoing Analysis - In Progress
Denial of Service in GitHub Enterprise Server

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: GitHub, Inc. (Products Only)

Description
A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-7541
EUVD
EUVD-2026-28462
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
github enterprise_server to 3.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how this denial of service vulnerability in GitHub Enterprise Server impacts compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

This vulnerability is a denial of service issue in GitHub Enterprise Server. It allows an unauthenticated attacker to disrupt the service by sending specially crafted requests containing deeply nested JSON payloads to an unauthenticated API endpoint.

The affected endpoint processes user-controlled JSON request bodies without any limits on size or nesting depth, which leads to excessive CPU and memory usage, causing the service to become unavailable.

This issue affects all versions of GitHub Enterprise Server before version 3.21 and was fixed in several patch releases including 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18.


How can this vulnerability impact me? :

The primary impact of this vulnerability is a denial of service condition, where an attacker can cause the GitHub Enterprise Server to become unresponsive or crash by exhausting its CPU and memory resources.

Since the attack can be performed without authentication, it poses a risk of service disruption to all users relying on the affected server, potentially halting development workflows and access to repositories.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade GitHub Enterprise Server to one of the fixed versions: 3.20.2, 3.19.6, 3.18.9, 3.17.15, or 3.16.18.

This will prevent unauthenticated attackers from causing service disruption by sending crafted requests with deeply nested JSON payloads to the vulnerable API endpoint.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart