Server-Side Request Forgery Vulnerability in GitHub Enterprise Server
CVE-2026-9312

9.2CRITICAL

Key Information:

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-9312?

A server-side request forgery (SSRF) vulnerability was detected in GitHub Enterprise Server, allowing unauthenticated attackers to exploit insufficient input validation in an upload endpoint. By using crafted requests with path traversal content, attackers could manipulate the intended request flow and redirect internal API calls, leading to unauthorized access to internal services and potential exposure of sensitive information. This issue impacted all versions prior to 3.22 and has been addressed in later versions.

Affected Version(s)

Enterprise Server 3.16.0 <= 3.16.19

Enterprise Server 3.17.0 <= 3.17.16

References

https://docs.github.com/en/enterprise-server@3.16/admin/r...

release-notes

https://docs.github.com/en/enterprise-server@3.17/admin/r...

release-notes

https://docs.github.com/en/enterprise-server@3.18/admin/r...

release-notes

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 22, 2026

Credit

ahacker1

CVE-2026-9312 Data

JSON

Github

What is CVE-2026-9312?

Affected Version(s)

References

EPSS Score

CVSS V4

Timeline

Credit