CVE-2026-9312
Description
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1. This vulnerability was reported via the GitHub Bug Bounty program.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated SSRF in GHES upload endpoint lets attackers access internal services and potentially expose sensitive credentials.
Vulnerability
A server-side request forgery (SSRF) vulnerability exists in the upload endpoint of GitHub Enterprise Server (GHES) versions prior to 3.22. The bug is due to insufficient input validation of request parameters, allowing path traversal content to redirect internal API calls. An unauthenticated attacker with network access to the affected GHES instance can exploit this flaw [1][2][3][4].
Exploitation
An attacker with network access to the GHES instance can send crafted requests to the upload endpoint. By injecting path traversal sequences into request parameters, the attacker can bypass the intended request flow and redirect internal API calls to arbitrary internal services. No authentication is required for this exploit [1][2][3][4].
Impact
Successful exploitation allows the attacker to send forged requests to internal services reachable from the GHES instance. This can lead to exposure of sensitive credentials and unauthorized access to internal resources, potentially compromising the confidentiality of the affected system [1][2][3][4].
Mitigation
GitHub has addressed the vulnerability by adding input validation to request parameters. Fixed versions include 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1. Administrators should update GHES instances to the latest patched version. As of the publication date, there is no known KEV listing [1][2][3][4].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<3.22+ 1 more
- (no CPE)range: <3.22
- (no CPE)range: <3.22
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- docs.github.com/en/enterprise-server@3.16/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.17/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.18/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.19/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.20/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.21/admin/release-notesnvd
News mentions
0No linked articles in our index yet.