External risk intelligence

GitHub Enterprise Server: Unauthenticated Access to Internal Services

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-9312

A server-side request forgery vulnerability in GitHub Enterprise Server allows unauthenticated attackers to access internal services and potentially sensitive credentials. The issue stems from insufficient input validation in an upload endpoint, enabling attackers to redirect internal API calls. This presents a busines

4Halo Surface Signal

Server-Side Request Forgery

Github Enterprise Server

3.16.0 to before 3.16.193.17.0 to before 3.17.163.18.0 to before 3.18.103.19.0 to before 3.19.73.20.0 to before 3.20.33.21.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-9312

GitHub Enterprise Server is frequently deployed as an internet-facing application or edge service to facilitate remote code collaboration and CI/CD pipelines. The vulnerability exists in an upload endpoint, which is a common feature exposed in these web-based management environments, making it reachable from the internet in many standard enterprise deployments.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A flaw in GitHub Enterprise Server's upload functionality could allow an attacker to send requests to internal services. This occurs due to inadequate validation of user input in the upload endpoint. An attacker could exploit this by inserting specific content into request parameters. This could lead to unauthorized access to internal services and the potential exposure of sensitive credentials.

  • Vulnerable upload functionality
  • Insufficient input validation
  • Internal service access

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit a server-side request forgery vulnerability by sending specially crafted requests to an upload endpoint. This could allow the attacker to bypass intended request flows and redirect internal API calls. This action could lead to unauthorized access to internal services and the potential exposure of sensitive credentials.

  • Exposure via public-facing upload endpoint.
  • Attacker sends crafted request with path traversal.
  • Bypasses intended flow, accesses internal services.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in GitHub Enterprise Server could allow an attacker to access internal services and sensitive credentials. The exploit involves sending crafted requests to bypass intended security controls. Organizations should treat this as a high-risk situation requiring prompt attention to mitigate potential data breaches and system compromise.

  • Attackers with moderate skill.
  • Unauthenticated access to internal services.
  • High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows an unauthenticated attacker to access internal services and potentially sensitive credentials by exploiting insufficient input validation in an upload endpoint. Organizations should take immediate steps to identify affected systems, reduce potential exposure, apply vendor fixes, validate the remediation, and monitor for related malicious activity.

  • Find exposed GitHub Enterprise Server assets.
  • Reduce exposure or isolate affected systems.
  • Apply vendor fixes and validate implementation.
  • Monitor for related security events.

Frequently asked questions

What is GitHub Enterprise Server and how does it support software development?

GitHub Enterprise Server is a self-hosted version of GitHub for organizations. It helps manage code repositories, aids developer collaboration, and automates software development workflows by providing a private instance of the GitHub platform for internal use.

What type of vulnerability is CVE-2026-9312 and what is its weakness class?

CVE-2026-9312 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918. This flaw allows an attacker to trick the server into making unintended requests to internal resources or services.

How can an unauthenticated attacker exploit CVE-2026-9312 through the upload endpoint?

An unauthenticated attacker can exploit this vulnerability by sending crafted requests to an upload endpoint. By injecting path traversal content into request parameters, they can bypass the intended request flow and redirect internal API calls to access internal services.

What is the relevance of CVE-2026-9312 for internet-facing GitHub Enterprise Server deployments?

This vulnerability is relevant because GitHub Enterprise Server is often deployed facing the internet for collaboration. Exploiting an upload endpoint, a common feature, can lead to unauthorized access to internal services and sensitive credentials, posing a significant risk to connected systems.

What actions should organizations take to address CVE-2026-9312?

Organizations should identify affected GitHub Enterprise Server assets, reduce exposure or isolate systems, apply vendor-provided fixes for versions prior to 3.22 (e.g., 3.16.20, 3.17.17, 3.18.11), validate remediation, and monitor for related malicious activity.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified