|
| 1 | +date: '2026-03-10' |
| 2 | +sections: |
| 3 | + security_fixes: |
| 4 | + - | |
| 5 | + **HIGH**: An attacker with push access to a repository could execute arbitrary code on the instance by injecting malicious values into Git push options. The push options were not properly sanitized before being included in internal headers used for Git operations, allowing the attacker to override internal metadata fields and achieve remote code execution. GitHub has requested CVE ID [CVE-2026-3854](https://www.cve.org/cverecord?id=CVE-2026-3854) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). |
| 6 | + - | |
| 7 | + **MEDIUM**: An attacker with read access to a repository and write access to a project could bypass repository write permissions to modify issue and pull request labels, assignees, and other metadata by adding duplicate items to the project. GitHub has requested CVE ID [CVE-2026-3306](https://www.cve.org/cverecord?id=CVE-2026-3306) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). |
| 8 | + bugs: |
| 9 | + - | |
| 10 | + Users experienced delays or failures when performing Git operations over HTTP. The operations could hang indefinitely due to a deadlock in the babeld service. |
| 11 | + - | |
| 12 | + When administrators applied configuration changes via the Management Console, the state shown would occasionally briefly flicker to a failure before being marked as successful causing confusion as to whether the configuration had succeeded. |
| 13 | + - | |
| 14 | + After an upgrade, `ghe-config-apply` could fail to remove some pre-upgrade Docker images and report `Error response from daemon: conflict: unable to delete <id>`. |
| 15 | + - | |
| 16 | + Administrators for instances using the collectd metrics stack saw empty `git fetch caching` graphs on the Management Console monitoring page. |
| 17 | + - | |
| 18 | + After upgrading, `ghe-config-apply` failed to start services including HAProxy and Redis. Docker images were incorrectly removed during the upgrade process, preventing services from starting. |
| 19 | + - | |
| 20 | + On the dependency graph page, users saw a banner promoting automatic dependency submission despite the feature being unavailable on GitHub Enterprise Server. The banner also linked to documentation that was inaccessible. |
| 21 | + - | |
| 22 | + Users experienced failures when migrating repositories with releases using GitHub Enterprise Importer. Migrations failed to import release assets that were incompletely uploaded at the time of export, as the export archive referenced assets without including the corresponding files. |
| 23 | + changes: |
| 24 | + - | |
| 25 | + To improve performance on large instances, HAProxy automatically scales its thread count based on available CPUs and uses higher connection limits for high-traffic backend services including GitHub Actions, database connections, job queues, and package registry. Administrators can override the thread count using `ghe-config haproxy-nbthread` if needed. |
| 26 | + - | |
| 27 | + On instances with a license for GitHub Advanced Security, code scanning-specific rate limits have been lifted and aligned with the default GitHub rate limits. Users can access higher limits through an exemption mechanism. |
| 28 | + known_issues: |
| 29 | + - | |
| 30 | + During an upgrade of GitHub Enterprise Server, custom firewall rules are removed. If you use custom firewall rules, you must reapply them after upgrading. |
| 31 | + - | |
| 32 | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. |
| 33 | + - | |
| 34 | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. See [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-web-ui/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account). |
| 35 | + - | |
| 36 | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. |
| 37 | + - | |
| 38 | + {% data reusables.release-notes.large-adoc-files-issue %} |
| 39 | + - | |
| 40 | + Admin stats REST API endpoints may time out on appliances with many users or repositories. Retrying the request until data is returned is advised. |
| 41 | + - | |
| 42 | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. |
| 43 | + - | |
| 44 | + Running `ghe-config-apply` as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. |
| 45 | + - | |
| 46 | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} |
| 47 | + - | |
| 48 | + When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. |
| 49 | + - | |
| 50 | + An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning. |
| 51 | + - | |
| 52 | + In the header bar displayed to site administrators, some icons are not available. |
| 53 | + - | |
| 54 | + When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded. |
| 55 | + - | |
| 56 | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. |
| 57 | + - | |
| 58 | + When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration. |
| 59 | + - | |
| 60 | + Administrators setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories. |
| 61 | + - | |
| 62 | + After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance. |
| 63 | + - | |
| 64 | + After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the Actions workflow of a repository does not have any suggested workflows. |
| 65 | + - | |
| 66 | + Unexpected elements may appear in the UI on the repository overview page for locked repositories. |
| 67 | + - | |
| 68 | + On an instance hosted on Azure, commenting on an issue via email means the comment is not added to the issue. |
![release-controller[bot]](https://avatars.githubusercontent.com/in/223695?v=4&size=40){kind=avatar}
0 commit comments