(773) 417-9994Free consultation
← Back to blog
CVEGitHubSSRFinfrastructure

CVE-2026-9312: GitHub Enterprise Server Has an SSRF. Yes, That GitHub.

An unauthenticated attacker can reach internal services and steal credentials through GitHub Enterprise Server. If GitHub can ship an SSRF, what's hiding in your infrastructure?

Darius J Davis · May 28, 2026

GitHub got caught shipping an SSRF.

Not a startup. Not some open-source side project running on vibes. GitHub. The platform that literally hosts the world's source code. The company Microsoft paid $7.5 billion for.

CVE-2026-9312. Server-side request forgery. An unauthenticated attacker with network access to a GitHub Enterprise Server instance could send crafted requests to internal services through a vulnerable upload endpoint. No login required. Just reach the server and start poking.

The upload endpoint didn't validate its input properly. An attacker could inject path traversal content into request parameters, redirect internal API calls, and reach backend services that were never supposed to be externally accessible. Internal APIs. Stored credentials. Restricted infrastructure.

Every version of GitHub Enterprise Server before 3.22 was affected. That's a lot of instances sitting behind corporate firewalls right now, running code that trusts upload parameters it shouldn't trust.

Image suggestion: A minimalist dark illustration of a server room with one server glowing red, connected by lines to internal services. Clean, technical, on-brand cyan and midnight colors. Prompt: "Dark cybersecurity illustration of a server-side request forgery attack, one compromised server reaching internal services through redirected connections, dark navy background with cyan accent lines, clean minimal style, no text"

What's an SSRF and why should you care?

SSRF stands for server-side request forgery. Here's the simple version:

Your server is supposed to accept uploads from users. Normal stuff. But the upload endpoint also makes requests to other internal services as part of processing. An attacker figures out they can manipulate that process to make the server request anything they want internally.

Think of it like this: you have a receptionist who takes delivery packages and brings them inside. SSRF is when someone hands the receptionist a package with instructions that say "also, while you're in there, go open the safe and photograph everything inside." And the receptionist does it because the instructions looked like they came from management.

The attacker never enters the building. They just abuse the trust the receptionist has internally.

In GitHub's case, the upload endpoint was the receptionist. Internal APIs and credential stores were the safe.

The bigger question for your business.

If GitHub's engineering team shipped an SSRF in a product used by thousands of enterprises globally, what do you think is sitting in your infrastructure?

Not rhetorical. Actually think about it.

Your company probably runs software that was:

  • Built by a smaller team with fewer security resources than GitHub
  • Deployed by someone who was focused on getting it working, not hardening it
  • Configured with default settings that haven't been reviewed since install
  • Never audited for vulnerabilities like SSRF because "it's behind the firewall"

"Behind the firewall" is not a security strategy. The whole point of SSRF is that the attacker doesn't need to be inside your network. They use your own server to reach what's inside.

What to do about it.

If you run GitHub Enterprise Server:

Patch immediately. Fixed in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1. Check your version, update, move on.

For everyone else:

1. Audit your upload endpoints. Anywhere your applications accept file uploads or user-provided URLs, ask: can the processing be redirected? Can the server be tricked into making requests to internal services? This is the most common SSRF pattern and it's in more applications than you'd think.

2. Network segmentation matters. If your web server can reach your database server, your credential store, your internal APIs, and your cloud metadata endpoint all on the same flat network, a single SSRF gives the attacker everything. Segment your networks. Limit what each service can reach.

3. Don't trust "internal" to mean "safe." The idea that anything behind the firewall is trusted is from a different era. Zero trust means verifying every request, even internal ones. Especially internal ones.

4. Regular vulnerability assessments. Not annual. Quarterly at minimum. Your software stack changes constantly. New versions ship with new bugs. The only way to catch them before attackers do is to look for them proactively.

This is the kind of thing that gets missed when you don't have someone whose job is to think about security. Your IT person is keeping the lights on. That's important. But who's checking whether the lights have a backdoor?

(773) 417-9994 or southsidechisolutions.com

Share this article
LinkedInX / TwitterEmail

Ready to secure your business?

Free 30-minute consultation. No sales script.

Call (773) 417-9994