CVE-2026-5921
SSRF in GitHub Enterprise Server Enables Sensitive Data Leak
Publication date: 2026-04-21
Last updated on: 2026-04-28
Assigner: GitHub, Inc. (Products Only)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| github | enterprise_server | to 3.14.26 (exc) |
| github | enterprise_server | From 3.15.0 (inc) to 3.15.21 (exc) |
| github | enterprise_server | From 3.16.0 (inc) to 3.16.17 (exc) |
| github | enterprise_server | From 3.17.0 (inc) to 3.17.14 (exc) |
| github | enterprise_server | From 3.18.0 (inc) to 3.18.8 (exc) |
| github | enterprise_server | From 3.19.0 (inc) to 3.19.5 (exc) |
| github | enterprise_server | 3.20.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that your GitHub Enterprise Server is updated to one of the fixed versions: 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, or 3.20.1.
Additionally, verify that private mode is enabled to prevent the notebook viewer from following HTTP redirects without revalidating the destination host, which is a key factor in the exploitation of this SSRF vulnerability.
Can you explain this vulnerability to me?
This vulnerability is a server-side request forgery (SSRF) issue in GitHub Enterprise Server. It allows an attacker to extract sensitive environment variables from the server by exploiting a timing side-channel attack against the notebook rendering service.
When private mode is disabled, the notebook viewer follows HTTP redirects without checking the destination host again. This enables an unauthenticated SSRF attack to internal services.
The attacker can combine this with regex filter queries against an internal API and measure response time differences to infer secret values character by character.
Exploitation requires private mode to be disabled and the attacker to chain the instance's open redirect endpoint through an external redirect to reach internal services.
This vulnerability affects all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to extract sensitive environment variables from your GitHub Enterprise Server instance without authentication.
By exploiting the SSRF and timing side-channel attack, attackers can gain access to secret values that could compromise the security of your internal services and data.
Such exposure could lead to unauthorized access, data leakage, or further attacks within your internal network.