CVE-2026-9312
Analyzed Analyzed - Analysis Complete
SSRF via Path Traversal in GitHub Enterprise Server

Publication date: 2026-05-27

Last updated on: 2026-06-02

Assigner: GitHub, Inc. (Products Only)

Description
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-9312
EUVD
EUVD-2026-32027
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
github enterprise_server From 3.17.0 (inc) to 3.17.16 (exc)
github enterprise_server From 3.18.0 (inc) to 3.18.10 (exc)
github enterprise_server From 3.19.0 (inc) to 3.19.7 (exc)
github enterprise_server From 3.20.0 (inc) to 3.20.3 (exc)
github enterprise_server From 3.16.0 (inc) to 3.16.19 (exc)
github enterprise_server 3.21.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a server-side request forgery (SSRF) found in GitHub Enterprise Server. It allows an unauthenticated attacker to send specially crafted requests to internal services by exploiting insufficient input validation in an upload endpoint.

By injecting path traversal content into request parameters, the attacker can bypass the intended request flow and redirect internal API calls. This could lead to accessing internal services and exposing sensitive credentials.

The vulnerability affects all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1.

Impact Analysis

This vulnerability can have serious impacts as it allows an unauthenticated attacker to access internal services that are normally protected.

By exploiting the SSRF, attackers could potentially retrieve sensitive credentials and other internal information, which could lead to further compromise of the system or network.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your GitHub Enterprise Server to one of the fixed versions: 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, or 3.21.1.

Compliance Impact

The vulnerability described is a server-side request forgery (SSRF) in GitHub Enterprise Server that could allow an unauthenticated attacker to access internal services and expose sensitive credentials by exploiting insufficient input validation.

However, there is no specific information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9312. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart