CVE-2026-9312 Overview
CVE-2026-9312 is a Server-Side Request Forgery (SSRF) vulnerability in GitHub Enterprise Server [CWE-918]. The flaw resides in an upload endpoint that performs insufficient input validation. Unauthenticated attackers can inject path traversal content into request parameters to redirect internal API calls. Successful exploitation allows access to internal services and exposure of sensitive credentials.
The vulnerability affects all versions of GitHub Enterprise Server prior to 3.22. GitHub addressed the issue in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1. The vulnerability was reported through the GitHub Bug Bounty program.
Critical Impact
Unauthenticated attackers can pivot to internal services and harvest sensitive credentials by abusing an upload endpoint on GitHub Enterprise Server.
Affected Products
- GitHub Enterprise Server versions prior to 3.16.20
- GitHub Enterprise Server 3.17.x prior to 3.17.17, 3.18.x prior to 3.18.11, 3.19.x prior to 3.19.8
- GitHub Enterprise Server 3.20.x prior to 3.20.4 and 3.21.x prior to 3.21.1
Discovery Timeline
- 2026-05-27 - CVE-2026-9312 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-9312
Vulnerability Analysis
The vulnerability stems from improper validation of user-supplied input in an upload endpoint within GitHub Enterprise Server. The endpoint accepts request parameters that influence the destination of subsequent internal API calls. Because the application does not adequately sanitize path traversal sequences, attackers can manipulate the endpoint to issue arbitrary requests to internal services.
This is a classic Server-Side Request Forgery pattern classified under [CWE-918]. The server effectively acts as a proxy on behalf of the attacker, reaching internal hosts that are not exposed to the network perimeter. Internal services often expose metadata endpoints, configuration interfaces, or unauthenticated administrative APIs that return sensitive credentials.
The attack requires no authentication and no user interaction. Exploitation complexity is elevated because the attacker must craft request parameters that successfully bypass the intended request flow.
Root Cause
The root cause is insufficient input validation on parameters consumed by an upload endpoint. The endpoint trusts attacker-controlled values when constructing or routing internal HTTP requests. Path traversal content injected into these parameters alters the resolved internal URL, redirecting calls to attacker-chosen internal targets.
Attack Vector
An unauthenticated remote attacker sends a crafted HTTP request to the vulnerable upload endpoint on a GitHub Enterprise Server appliance. Path traversal sequences embedded in request parameters cause the server to issue internal API calls to attacker-controlled targets within the appliance's internal network. The server returns or processes responses from those internal services, exposing credentials and other sensitive data.
No verified public exploit code is available. Refer to the GitHub Enterprise Server 3.21.1 release notes for vendor-provided details on the fix.
Detection Methods for CVE-2026-9312
Indicators of Compromise
- HTTP requests to upload endpoints containing path traversal sequences such as ../, ..%2F, or URL-encoded variants in request parameters.
- Unexpected outbound or loopback HTTP requests originating from the GitHub Enterprise Server application user to internal service addresses.
- Access log entries showing unauthenticated requests to upload endpoints from unfamiliar source IP addresses.
- Internal service logs showing requests sourced from the GitHub Enterprise Server appliance that do not match normal application workflows.
Detection Strategies
- Inspect web access logs for upload endpoint requests containing encoded or unencoded path traversal patterns in query strings or POST bodies.
- Correlate ingress requests to the appliance with subsequent internal HTTP traffic to detect SSRF pivot behavior.
- Deploy web application firewall rules that flag traversal sequences and unexpected URL schemes in upload parameters.
Monitoring Recommendations
- Forward GitHub Enterprise Server haproxy, nginx, and application logs to a centralized SIEM for retention and correlation.
- Alert on requests to internal metadata services or 127.0.0.1-bound endpoints originating from the GitHub Enterprise Server process.
- Monitor for sudden spikes in traffic to upload endpoints from unauthenticated sources.
How to Mitigate CVE-2026-9312
Immediate Actions Required
- Upgrade GitHub Enterprise Server to a patched version: 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, or 3.21.1.
- Rotate any credentials accessible from internal services reachable by the appliance, including API tokens and service account secrets.
- Review access logs since the appliance was deployed for indicators consistent with SSRF exploitation.
Patch Information
GitHub released fixes in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1. Administrators should consult the corresponding release notes: 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1.
Workarounds
- Restrict network access to the GitHub Enterprise Server appliance using perimeter controls until patches can be applied.
- Deploy a reverse proxy or WAF rule that blocks path traversal patterns in upload endpoint parameters.
- Segment the appliance from sensitive internal services and metadata endpoints to limit SSRF blast radius.
# Example WAF rule pattern to block traversal sequences on upload endpoints
# (adapt to your WAF syntax)
SecRule REQUEST_URI "@rx /upload" "phase:2,chain,deny,status:400,id:1009312"
SecRule ARGS "@rx (\.\./|\.\.%2[fF]|%2e%2e/)" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
