Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.2

GitHub Enterprise Server allows attackers to access internal services

CVE-2026-1999
Summary

An authenticated user with certain permissions can access internal services, potentially disrupting job processing or gaining access to sensitive data. This issue affects all versions of GitHub Enterprise Server prior to 3.20, but is fixed in later versions. Update to a patched version to protect your organization.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
github enterprise_server <= 3.17.11
github enterprise_server > 3.18.0 , <= 3.18.5
github enterprise_server > 3.19.0 , <= 3.19.2
Original title
A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to access internal services bound to loopback or unspecified address...
Original description
A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to access internal services bound to loopback or unspecified addresses, potentially disrupting background job processing, accessing administrative endpoints, metrics, and profiling data, or manipulating job queues. Exploitation required an authenticated user with permissions to configure webhooks (repository, organization, or GitHub App administrator privileges). This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.14.22, 3.15.17, 3.16.13, 3.17.10, 3.18.4, and 3.19.1. This vulnerability was reported via the GitHub Bug Bounty program.
nvd CVSS3.1 6.5
nvd CVSS4.0 7.2
Vulnerability type
CWE-918 Server-Side Request Forgery (SSRF)
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026