CVE-2026-7541
Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via unauthenticated API endpoint
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program.
| CWE | CWE-770 |
| Vendor | github |
| Product | enterprise server |
| Ecosystems | |
| Industries | Technology |
| Published | May 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for github enterprise server
Be the first to know when new unknown vulnerabilities affecting github enterprise server are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
GitHub / Enterprise Server
3.16.0 โค 3.16.17 3.17.0 โค 3.17.14 3.18.0 โค 3.18.8 3.19.0 โค 3.19.5 3.20.0 โค 3.20.1
References
docs.github.com: https://docs.github.com/en/[email protected]/admin/release-notes#3.16.18 docs.github.com: https://docs.github.com/en/[email protected]/admin/release-notes#3.17.15 docs.github.com: https://docs.github.com/en/[email protected]/admin/release-notes#3.18.9 docs.github.com: https://docs.github.com/en/[email protected]/admin/release-notes#3.19.6 docs.github.com: https://docs.github.com/en/[email protected]/admin/release-notes#3.20.2
Credits
Nguyen Nhat Anh (GitHub: anh2025)