CVE-2026-15007
Received Received - Intake

Denial of Service in GitHub Enterprise Server via Nested YAML

Vulnerability report for CVE-2026-15007, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc. (Products Only)

Description

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to cause service disruption by supplying a repository release notes configuration file containing deeply nested YAML. When release notes were generated, the configuration file was parsed without a nesting depth limit, causing excessive resource consumption that could render the instance unresponsive. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
github enterprise_server to 3.22 (exc)
github enterprise_server 3.17.18
github enterprise_server 3.18.12
github enterprise_server 3.19.9
github enterprise_server 3.20.5
github enterprise_server 3.21.3
github enterprise_server 3.19.1
github enterprise_server 3.20.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a denial of service vulnerability in GitHub Enterprise Server where an authenticated user can cause service disruption by providing a repository release notes configuration file with deeply nested YAML. When release notes are generated, the file is parsed without a nesting depth limit, consuming excessive resources and making the instance unresponsive. It affects all versions before 3.22 and was fixed in 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3.

Detection Guidance

Detecting this vulnerability requires checking GitHub Enterprise Server versions prior to 3.22. Verify if your instance is running any version below 3.17.18, 3.18.12, 3.19.9, 3.20.5, or 3.21.3. Inspect repository release notes configuration files for deeply nested YAML structures that could cause excessive resource consumption during parsing.

Impact Analysis

An attacker with authenticated access could exploit this to crash or slow down your GitHub Enterprise Server instance, disrupting operations for all users. This could lead to downtime, loss of productivity, and potential data access issues during the outage.

Compliance Impact

This vulnerability is a denial of service issue that could render GitHub Enterprise Server instances unresponsive due to excessive resource consumption. While it does not directly impact data confidentiality or integrity, service disruption could interfere with access controls, audit logging, and availability requirements under standards like GDPR and HIPAA. Organizations relying on GHES for regulated workloads may face compliance risks if availability is compromised during an attack.

Mitigation Strategies

Upgrade GitHub Enterprise Server to a patched version (3.17.18, 3.18.12, 3.19.9, 3.20.5, or 3.21.3 or later). Review and sanitize repository release notes configuration files to prevent deeply nested YAML structures. Monitor system resource usage for signs of excessive consumption during release notes generation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15007. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart