PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9312 GitHub CVE debrief

A critical server-side request forgery (SSRF) vulnerability in GitHub Enterprise Server allowed unauthenticated attackers to redirect internal API calls by injecting path traversal sequences into upload endpoint parameters. The flaw, rooted in insufficient input validation, enabled access to internal services and potential credential exposure. GitHub resolved this across multiple release branches; administrators must upgrade to patched versions immediately.

Vendor
GitHub
Product
Enterprise Server
CVSS
CRITICAL 9.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

GitHub Enterprise Server administrators, DevOps engineers managing self-hosted GitHub instances, security teams responsible for supply chain and source code management infrastructure, and organizations with strict network segmentation requirements between development tools and internal services.

Technical summary

The vulnerability exists in an upload endpoint where insufficient input validation permits path traversal injection. Attackers can craft requests containing directory traversal sequences (e.g., ../) that bypass intended request routing, causing the server to issue requests to internal services. This SSRF primitive requires no authentication and can expose sensitive credentials or internal API functionality. The attack complexity is rated high due to required positioning, but the impact is severe across confidentiality, integrity, and availability dimensions.

Defensive priority

critical

Recommended defensive actions

  • Upgrade GitHub Enterprise Server to version 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, or 3.21.1 (or later) depending on your current release branch
  • Review network segmentation between GitHub Enterprise Server and internal services to limit blast radius of SSRF vulnerabilities
  • Audit upload endpoints and implement strict input validation to reject path traversal sequences
  • Monitor internal service logs for anomalous request patterns originating from GitHub Enterprise Server instances
  • If immediate patching is not feasible, restrict network egress from GitHub Enterprise Server to essential services only

Evidence notes

The vulnerability description and affected versions are drawn from the official CVE record and GitHub release notes. The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates network attack vector with high attack complexity but no privileges required, yielding critical impact on confidentiality, integrity, and availability. CWE-918 (Server-Side Request Forgery) is cited as the weakness type.

Official resources

GitHub disclosed this vulnerability on 2026-05-27 via the GitHub Bug Bounty program.