GitHub Enterprise Server (GHES) 3.20.3 was released on May 26, 2026, to fix multiple critical and high-severity vulnerabilities that could let attackers access internal services, escalate privileges, or extract sensitive data.
Administrators must rotate cryptographic signing keys before applying the update; GitHub revoked the previous release-package signing key and provided a script to rotate GPG public keys on GHES instances.
GitHub Enterprise Server Vulnerabilities
CVE-2026-9312 (SSRF, pre-auth): A server-side request forgery in an upload endpoint allowed crafted requests to reach internal services because input validation was insufficient.
An attacker with network access to a GHES instance could use this to probe internal endpoints, expose sensitive credentials, or trigger unauthorized backend interactions. GitHub fixed the issue by tightening validation of request parameters to block malicious input.
CVE-2026-43284 and CVE-2026-43500 (Dirty Frag kernel bugs): Two Linux kernel vulnerabilities affecting IPsec ESP and RxRPC subsystems let an attacker with local access escalate to root. These are serious local privilege-escalation vectors and require host-level mitigation and kernel updates.
CVE-2026-8606 (timing side-channel + SSRF): A timing side-channel together with an SSRF allowed extraction of sensitive environment variables via GitHub Packages.
This could be exploited without authentication when Packages’ private mode was disabled, or by any authenticated user when authentication was required. GitHub removed the vulnerable package URL endpoint from GHES to eliminate this attack path.
GitHub Enterprise Server 3.20.3 Fixes
Nomad snapshotting: Service start/stop actions sometimes failed to trigger snapshotting; this release restores expected snapshot behavior to improve resilience.
Markdown rendering: A bug that prevented images uploaded before upgrades from older versions displaying correctly inside tables has been fixed.
Secret-scanning bypass: GitHub corrected an issue where capture groups could be abused to bypass wildcard restrictions in secret scanning, which could degrade detection effectiveness.
OpenTelemetry collector memory: Default memory allocation for the collector increased from 1024 MiB to 4096 MiB to reduce metrics loss during high load.
Cluster monitoring and metrics: Monitoring now gives better visibility across nodes regardless of leadership, and metric naming changes reduce collisions that previously caused data gaps in large deployments.
Mitigation and Recommendations
GPG key rotation: Administrators must rotate the GHES GPG public key before applying the patch; GitHub’s provided script automates the change but operators should test it in staging first.
Firewall rules: Custom firewall rules are removed during the upgrade and must be reapplied manually afterward. Locked root accounts: In some cases, root administrator accounts may remain locked after repeated failed logins; manual unlocking via SSH may be required.
Post-upgrade validation: Verify all critical services, integrations, cluster health, monitoring, and secret-scanning behavior after completing the update. Prioritize applying GHES 3.20.3 in a maintenance window after rotating GPG signing keys.
Restrict network access to GHES instances (least-privilege network segmentation) to reduce SSRF exposure. Patch host kernels promptly to mitigate local privilege-escalation (Dirty Frag) vulnerabilities.
Test the GPG rotation and upgrade in a staging environment to ensure firewall rules and admin accounts don’t disrupt operations. Validate monitoring and metrics collection post-upgrade to confirm no gaps were introduced.
No Comment! Be the first one.