CVE-2026-9312
Modified Modified - Updated After Analysis

SSRF via Path Traversal in GitHub Enterprise Server

Vulnerability report for CVE-2026-9312, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-27

Last updated on: 2026-06-30

Assigner: GitHub, Inc. (Products Only)

Description

A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.2. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-27
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-05-27
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
github enterprise_server From 3.17.0 (inc) to 3.17.16 (exc)
github enterprise_server From 3.18.0 (inc) to 3.18.10 (exc)
github enterprise_server From 3.19.0 (inc) to 3.19.7 (exc)
github enterprise_server From 3.20.0 (inc) to 3.20.3 (exc)
github enterprise_server From 3.16.0 (inc) to 3.16.19 (exc)
github enterprise_server 3.21.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a server-side request forgery (SSRF) found in GitHub Enterprise Server. It allows an unauthenticated attacker to send specially crafted requests to internal services by exploiting insufficient input validation in an upload endpoint.

By injecting path traversal content into request parameters, the attacker can bypass the intended request flow and redirect internal API calls. This could lead to accessing internal services and exposing sensitive credentials.

The vulnerability affects all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1.

Impact Analysis

This vulnerability can have serious impacts as it allows an unauthenticated attacker to access internal services that are normally protected.

By exploiting the SSRF, attackers could potentially retrieve sensitive credentials and other internal information, which could lead to further compromise of the system or network.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your GitHub Enterprise Server to one of the fixed versions: 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, or 3.21.1.

Compliance Impact

The vulnerability described is a server-side request forgery (SSRF) in GitHub Enterprise Server that could allow an unauthenticated attacker to access internal services and expose sensitive credentials by exploiting insufficient input validation.

However, there is no specific information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9312. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart