CVE-2026-9312
Received Received - Intake
SSRF via Path Traversal in GitHub Enterprise Server

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc. (Products Only)

Description
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-27
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-9312
EUVD
EUVD-2026-32027
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
github enterprise_server to 3.22 (exc)
github enterprise_server 3.16.20
github enterprise_server 3.17.17
github enterprise_server 3.18.11
github enterprise_server 3.19.8
github enterprise_server 3.20.4
github enterprise_server 3.21.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a server-side request forgery (SSRF) found in GitHub Enterprise Server. It allows an unauthenticated attacker to send specially crafted requests to internal services by exploiting insufficient input validation in an upload endpoint.

By injecting path traversal content into request parameters, the attacker can bypass the intended request flow and redirect internal API calls. This could lead to accessing internal services and exposing sensitive credentials.

The vulnerability affects all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1.


How can this vulnerability impact me? :

This vulnerability can have serious impacts as it allows an unauthenticated attacker to access internal services that are normally protected.

By exploiting the SSRF, attackers could potentially retrieve sensitive credentials and other internal information, which could lead to further compromise of the system or network.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade your GitHub Enterprise Server to one of the fixed versions: 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, or 3.21.1.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability described is a server-side request forgery (SSRF) in GitHub Enterprise Server that could allow an unauthenticated attacker to access internal services and expose sensitive credentials by exploiting insufficient input validation.

However, there is no specific information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart