CVE-2026-15343
Received Received - Intake

Path Traversal in GitHub Enterprise Server

Vulnerability report for CVE-2026-15343, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc. (Products Only)

Description

A path traversal vulnerability was identified in GitHub Enterprise Server that allowed an attacker who had code execution inside the Dependabot updater container to write files to arbitrary repository paths, including GitHub Actions workflow files under .github/workflows/ as the path validation did not check the effective path which the attacker could control through the dependency file's directory and symlink target. If the repository used a pull_request_target workflow or had auto-merge enabled, an injected workflow could execute with access to the repository's GitHub Actions secrets. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.3, 3.20.5, 3.19.9, 3.18.12, 3.17.18.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
github enterprise_server to 3.22 (exc)
github enterprise_server 3.21.3
github enterprise_server 3.20.5
github enterprise_server 3.19.9
github enterprise_server 3.18.12
github enterprise_server 3.17.18

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a path traversal vulnerability in GitHub Enterprise Server. An attacker with code execution inside the Dependabot updater container could write files to arbitrary repository paths, including GitHub Actions workflow files. The path validation did not check the effective path, which the attacker could manipulate through the dependency file's directory and symlink target. This allowed injecting malicious workflows that could execute with access to repository secrets.

Detection Guidance

This vulnerability requires checking for unauthorized GitHub Actions workflow files in .github/workflows/ directories. Inspect repository contents for unexpected workflow files, especially those referencing secrets or external actions. Review Dependabot updater container logs for suspicious file writes or symlink manipulations. Check for pull_request_target workflows or auto-merge settings that could execute injected workflows.

Impact Analysis

If you use GitHub Enterprise Server versions prior to 3.22, an attacker could inject malicious GitHub Actions workflows into your repositories. If your repository uses pull_request_target workflows or has auto-merge enabled, these injected workflows could execute with access to your repository's secrets, potentially leading to unauthorized access, data theft, or further compromise of your systems.

Compliance Impact

This vulnerability could potentially impact compliance with GDPR and HIPAA by allowing unauthorized access to repository files, including GitHub Actions workflows that may handle sensitive data. If exploited, it could lead to unauthorized code execution with access to secrets, violating confidentiality requirements under these regulations.

Mitigation Strategies

Update GitHub Enterprise Server to a fixed version (3.21.3, 3.20.5, 3.19.9, 3.18.12, or 3.17.18 or later) to address the path traversal vulnerability in the Dependabot updater container.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15343. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart