Volerion logoVolerion
Volerion logoVolerion

GitHub Enterprise Server Server-Side Request Forgery Vulnerability in Upload Endpoint

Vulnerability

A server-side request forgery (SSRF) vulnerability exists in GitHub Enterprise Server versions prior to 3.22. This vulnerability allows an unauthenticated attacker to send crafted requests to internal services by exploiting inadequate input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could manipulate the request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services and exposure of sensitive credentials.

Remediation

Users can upgrade to GitHub Enterprise Server versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, or 3.21.1. Instructions for upgrading can be found in the GitHub Enterprise Server documentation.

Added: May 27, 2026, 12:22 AM
Updated: May 27, 2026, 12:22 AM

Vulnerability Rating

Custom Algorithm
spread
1.9
impact
0.4
exploitability
6.8
remediation
7.7
relevance
9.7
threat
0.0
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.