PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15343 GitHub CVE debrief

A path traversal vulnerability was identified in GitHub Enterprise Server, allowing an attacker with code execution inside the Dependabot updater container to write files to arbitrary repository paths. This included GitHub Actions workflow files under .github/workflows/. If the repository used a pull_request_target workflow or had auto-merge enabled, an injected workflow could execute with access to the repository's GitHub Actions secrets. The vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.3, 3.20.5, 3.19.9, 3.18.12, and 3.17.18. This debrief provides an overview of the vulnerability and its potential impact.

Vendor
GitHub
Product
Enterprise Server
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

GitHub Enterprise Server administrators and users who manage repositories with GitHub Actions workflows should be aware of this vulnerability and take steps to ensure their systems are updated to a fixed version. Additionally, security teams and vulnerability management teams should review the affected scope and severity to prioritize remediation efforts.

Technical summary

The vulnerability is caused by a path traversal issue in GitHub Enterprise Server, which allows an attacker to control the effective path through the dependency file's directory and symlink target. This can lead to the execution of injected workflows with access to repository secrets. The vulnerability affects all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.3, 3.20.5, 3.19.9, 3.18.12, and 3.17.18. It is essential to update to a fixed version to prevent exploitation.

Defensive priority

High

Recommended defensive actions

  • Update GitHub Enterprise Server to a fixed version (3.21.3, 3.20.5, 3.19.9, 3.18.12, or 3.17.18)
  • Review and restrict access to GitHub Actions workflows
  • Monitor repository activity for suspicious workflow executions
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-17T16:17:13.917Z and last modified on 2026-07-17T18:11:59.263Z. The NVD entry is currently Deferred. This information is based on the provided source corpus. Further verification is recommended to ensure accuracy.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T16:17:13.917Z and has not been modified since then. The NVD entry is currently Deferred.