CVE-2026-9312 — GitHub Enterprise Server (< 3.22): unauthenticated SSRF via upload-endpoint path traversal exposes internal services and credentials

An unauthenticated attacker can inject path-traversal content into the request parameters of a GitHub Enterprise Server upload endpoint; insufficient input validation lets the crafted request bypass the intended upload flow and redirect internal API calls to arbitrary internal services, potentially reading internal service responses and exposing sensitive credentials such as GitHub App tokens, service-account keys and internal API secrets (ENISA EUVD EUVD-2026-32027, 2026-05-27). The flaw (also tracked as GHSA-fwfp-h68w-2hcr, CVSS 4.0 = 9.2) was reported through the GitHub Bug Bounty program and affects all GHES releases prior to 3.22; fixes ship in 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4 and 3.21.1 (GitHub Security Advisory GHSA-fwfp-h68w-2hcr). EPSS is 0.0 and no in-the-wild exploitation is reported, but on-prem GHES is common in Swiss financial-sector and EU large-enterprise development estates, and an SSRF that reaches internal credential stores is a direct foothold for lateral movement (T1190 Exploit Public-Facing Application). Patch to the relevant fixed release; until patched, restrict who can reach the GHES management/upload surface at the network layer and hunt server access logs for upload-endpoint requests carrying ../ / %2e%2e%2f traversal sequences.