PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15007 GitHub CVE debrief

CVE-2026-15007 is a denial of service vulnerability in GitHub Enterprise Server that allows an authenticated user to cause service disruption by supplying a repository release notes configuration file containing deeply nested YAML. This issue affects all versions of GitHub Enterprise Server prior to 3.22. The vulnerability was fixed in versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. The vulnerability leads to excessive resource consumption when release notes are generated from deeply nested YAML configuration files, potentially rendering the instance unresponsive.

Vendor
GitHub
Product
Enterprise Server
CVSS
MEDIUM 5.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Administrators and users of GitHub Enterprise Server prior to version 3.22 should be aware of this vulnerability and take steps to mitigate it. This includes updating to a fixed version and restricting access to repository release notes configuration files. Monitoring for suspicious activity related to repository release notes is also recommended.

Technical summary

The vulnerability allows an authenticated user to cause service disruption by supplying a repository release notes configuration file containing deeply nested YAML. When release notes are generated, the configuration file is parsed without a nesting depth limit, causing excessive resource consumption that could render the instance unresponsive. This affects all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3.

Defensive priority

Medium

Recommended defensive actions

  • Update to a fixed version of GitHub Enterprise Server (3.17.18, 3.18.12, 3.19.9, 3.20.5, or 3.21.3)
  • Restrict access to repository release notes configuration files
  • Monitor for suspicious activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The vulnerability was reported via the GitHub Bug Bounty program. Affected versions of GitHub Enterprise Server include all versions prior to 3.22. The issue arises from the parsing of deeply nested YAML in repository release notes configuration files without a nesting depth limit, leading to excessive resource consumption. This could render the instance unresponsive. Evidence is limited to public sources and vendor statements. Defenders should verify instance configurations and monitor for suspicious activity related to repository release notes.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T16:17:13.743Z and has not been modified since then.