CVE-2026-1999
A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to access internal services bound to loopback or unspecified addresses, potentially disrupting background job processing, accessing administrative endpoints, metrics, and profiling data, or manipulating job queues. Exploitation required an authenticated user with permissions to configure webhooks (repository, organization, or GitHub App administrator privileges). This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.14.22, 3.15.17, 3.16.13, 3.17.10, 3.18.4, and 3.19.1. This vulnerability was reported via the GitHub Bug Bounty program.
Vendor
Product
CWE
Yayın Tarihi
2026-02-18 21:16:24
Güncelleme
2026-03-03 16:16:19
Source Identifier
product-cna@github.com
KEV Date Added
-
Kategoriler
Referanslar
https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.22
https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.17
https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.13
https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.10
https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.4
https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.1