Denial of Service Vulnerability in GitHub Enterprise Server
CVE-2026-15007

5.7MEDIUM

Key Information:

Vendor

Github

Vendor
CVE Published:
17 July 2026

What is CVE-2026-15007?

A denial of service vulnerability has been found in GitHub Enterprise Server that enables an authenticated user to disrupt service by submitting a repository release notes configuration file with deeply nested YAML. The processing of this configuration file lacks a nesting depth limit, resulting in significant resource consumption and the potential to render the server instance unresponsive. This issue impacts all versions of GitHub Enterprise Server prior to 3.22 and has been addressed in the subsequent updates 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. Reporting of this vulnerability was facilitated through the GitHub Bug Bounty program.

Affected Version(s)

Enterprise Server 3.17.0 <= 3.17.17

Enterprise Server 3.17.0 <= 3.17.17

Enterprise Server 3.18.0 <= 3.18.11

References

CVSS V4

Score:
5.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stanislav Valkanov (GitHub: svalkanov)
.