Denial of Service Vulnerability in GitHub Enterprise Server
CVE-2026-15007
What is CVE-2026-15007?
A denial of service vulnerability has been found in GitHub Enterprise Server that enables an authenticated user to disrupt service by submitting a repository release notes configuration file with deeply nested YAML. The processing of this configuration file lacks a nesting depth limit, resulting in significant resource consumption and the potential to render the server instance unresponsive. This issue impacts all versions of GitHub Enterprise Server prior to 3.22 and has been addressed in the subsequent updates 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. Reporting of this vulnerability was facilitated through the GitHub Bug Bounty program.
Affected Version(s)
Enterprise Server 3.17.0 <= 3.17.17
Enterprise Server 3.17.0 <= 3.17.17
Enterprise Server 3.18.0 <= 3.18.11