GitHub Enterprise Server 3.20.3 Fixes Released With

GitHub has released GitHub Enterprise Server (GHES) 3.20.3, a security-driven patch addressing multiple critical and high-severity vulnerabilities and rotating the signing key used to validate GHES release packages.

Organizations running any earlier 3.20.x build is strongly encouraged to move to this version to close serious gaps affecting network‑exposed and multi‑tenant deployments.

A central change in GHES 3.20.3 is the revocation of the previous GPG signing key for release packages. From this patch onward, all GHES images are signed only with a new key, which means administrators must update the trusted public keys on their appliances before attempting the upgrade.

GitHub Enterprise 3.20.3 Fixes

GitHub provides an official script and documented procedure to automate this signing key rotation so admins can safely trust the new artifacts.

If the key rotation step is skipped, the appliance will fail signature verification during upgrade, blocking deployment of 3.20.3 and delaying important security fixes.

Critical pre‑auth SSRF in upload endpoint (CVE‑2026‑9312)

The headline fix in 3.20.3 is a critical pre‑authentication server‑side request forgery (SSRF) vulnerability in an upload endpoint.

Because input parameters were not strictly validated, an attacker with network access to the GHES instance could craft upload requests that cause the server to issue internal HTTP calls, potentially hitting internal services and exposing credentials or configuration data.

This issue, tracked as CVE‑2026‑9312 and reported via the GitHub Bug Bounty program, posed a serious risk to instances reachable from less‑trusted networks.

GitHub mitigated the flaw by tightening input validation on the endpoint, restricting which destinations can be contacted, and preventing it from being used as a general‑purpose SSRF primitive against internal infrastructure.

“Dirty Frag” kernel privilege escalation (CVE‑2026‑43284, CVE‑2026‑43500)

GHES 3.20.3 also addresses two high‑severity privilege-escalation issues in the Linux kernel’s IPsec ESP and RxRPC networking subsystems, collectively known as “Dirty Frag.”

On vulnerable appliances, a local attacker could exploit these bugs to escalate from a regular user account to root, gaining full control over the underlying operating system.

GitHub requested CVE‑2026‑43284 and CVE‑2026‑43500 for these vulnerabilities and updated the bundled kernel to a fixed version as part of this patch.

In shared environments where multiple teams or automated processes have shell access, this reduces the risk that a low‑privileged foothold on the appliance can be escalated to a complete compromise.

Additional SSRF and secret‑exposure hardening

Beyond the main issues, GHES 3.20.3 rolls in several security fixes introduced across the previous 3.20.x updates that focus on SSRF and sensitive data exposure.

These include a timing side‑channel in the notebook viewer that could leak environment variables and an internal packages endpoint that could be abused for unauthenticated SSRF when private mode is disabled.

GitHub assigned CVE‑2026‑5921 and CVE‑2026‑8606 to these problems and notes that external researchers found many through the bug bounty program.

Together, these changes significantly reduce the attack surface for internal‑service access and secret exfiltration on misconfigured or internet‑facing GHES instances.

Reliability and Operations Improvements

The 3.20.3 release also includes non‑security improvements that boost resilience and observability in large deployments.

Nomad service lifecycle events now correctly trigger snapshots, helping preserve cluster state, and the default memory limit for the OpenTelemetry collector has been increased to prevent metrics dropouts under heavy load.

GitHub has also fixed UX and compatibility issues, such as broken rendering of legacy images in markdown tables and the presence of an unsupported Copilot tab in GitHub App settings on GHES.

These quality‑of‑life improvements reduce operational friction, allowing teams to focus on timely patching and security monitoring.

GitHub recommends that all customers on GHES 3.20.x prioritize upgrading to 3.20.3 after completing the required GPG key rotation using the official guidance.

Instances with exposure to untrusted networks or where multiple internal teams share access should treat this release as urgent, as it removes both a pre‑auth SSRF vector and a reliable local privilege-escalation path.

Administrators should also revisit the exposure of upload endpoints, notebook services, and package endpoints, applying additional network segmentation and access controls where possible.

This layered approach will help limit the blast radius of any future vulnerabilities and strengthen the overall security posture of self‑hosted GitHub environments.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.