CVE-2026-7541
HIGHGitHub Enterprise Server API - Unauthenticated Denial of Service
Title source: manualDescription
A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program.
References (5)
Core 5
Core References
Release Notes release-notes
https://docs.github.com/en/[email protected]/admin/release-notes#3.16.18
Release Notes release-notes
https://docs.github.com/en/[email protected]/admin/release-notes#3.17.15
Release Notes release-notes
https://docs.github.com/en/[email protected]/admin/release-notes#3.18.9
Release Notes release-notes
https://docs.github.com/en/[email protected]/admin/release-notes#3.19.6
Release Notes release-notes
https://docs.github.com/en/[email protected]/admin/release-notes#3.20.2
Scores
CVSS v3
7.5
EPSS
0.0037
EPSS Percentile
28.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (6)
GitHub/Enterprise Server
3.16.0 - 3.16.17
GitHub/Enterprise Server
3.17.0 - 3.17.14
GitHub/Enterprise Server
3.18.0 - 3.18.8
GitHub/Enterprise Server
3.19.0 - 3.19.5
GitHub/Enterprise Server
3.20.0 - 3.20.1
github/enterprise_server
< 3.16.18
Published
May 07, 2026
Tracked Since
May 08, 2026