PatchSiren cyber security CVE debrief
CVE-2026-15343 GitHub CVE debrief
A path traversal vulnerability was identified in GitHub Enterprise Server, allowing an attacker with code execution inside the Dependabot updater container to write files to arbitrary repository paths. This included GitHub Actions workflow files under .github/workflows/. If the repository used a pull_request_target workflow or had auto-merge enabled, an injected workflow could execute with access to the repository's GitHub Actions secrets. The vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.3, 3.20.5, 3.19.9, 3.18.12, and 3.17.18. This debrief provides an overview of the vulnerability and its potential impact.
- Vendor
- GitHub
- Product
- Enterprise Server
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
GitHub Enterprise Server administrators and users who manage repositories with GitHub Actions workflows should be aware of this vulnerability and take steps to ensure their systems are updated to a fixed version. Additionally, security teams and vulnerability management teams should review the affected scope and severity to prioritize remediation efforts.
Technical summary
The vulnerability is caused by a path traversal issue in GitHub Enterprise Server, which allows an attacker to control the effective path through the dependency file's directory and symlink target. This can lead to the execution of injected workflows with access to repository secrets. The vulnerability affects all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.3, 3.20.5, 3.19.9, 3.18.12, and 3.17.18. It is essential to update to a fixed version to prevent exploitation.
Defensive priority
High
Recommended defensive actions
- Update GitHub Enterprise Server to a fixed version (3.21.3, 3.20.5, 3.19.9, 3.18.12, or 3.17.18)
- Review and restrict access to GitHub Actions workflows
- Monitor repository activity for suspicious workflow executions
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-17T16:17:13.917Z and last modified on 2026-07-17T18:11:59.263Z. The NVD entry is currently Deferred. This information is based on the provided source corpus. Further verification is recommended to ensure accuracy.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T16:17:13.917Z and has not been modified since then. The NVD entry is currently Deferred.