CVE-2026-8606
Analyzed Analyzed - Analysis Complete
Server-Side Request Forgery in GitHub Enterprise Server

Publication date: 2026-05-27

Last updated on: 2026-06-01

Assigner: GitHub, Inc. (Products Only)

Description
A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measuring response timing, an attacker could infer the values of sensitive environment variables, including signing secrets and private keys. Exploitation required GitHub Packages to be enabled; on instances not running in private mode the vulnerability was exploitable without authentication, otherwise any authenticated user could exploit it. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-8606
EUVD
EUVD-2026-32025
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
github enterprise_server to 3.16.19 (exc)
github enterprise_server From 3.17.0 (inc) to 3.17.16 (exc)
github enterprise_server From 3.18.0 (inc) to 3.18.10 (exc)
github enterprise_server From 3.19.0 (inc) to 3.19.7 (exc)
github enterprise_server From 3.20.0 (inc) to 3.20.3 (exc)
github enterprise_server 3.21.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8606 is a Server-Side Request Forgery (SSRF) vulnerability in GitHub Enterprise Server. It allows an attacker to make the server send HTTP requests to internal services using the security advisories package lookup feature.

By directing requests to an internal management service and analyzing response timing, the attacker can infer sensitive environment variables such as signing secrets and private keys.

Exploitation requires GitHub Packages to be enabled. If the instance is not running in private mode, the vulnerability can be exploited without authentication; otherwise, any authenticated user can exploit it.

This vulnerability affects all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19.

Impact Analysis

This vulnerability can allow an attacker to access internal services that are normally protected from external access.

By exploiting the SSRF flaw, an attacker can infer sensitive environment variables including signing secrets and private keys, which could lead to further compromise of the system.

If exploited, it could result in unauthorized access to sensitive data and potentially allow attackers to perform actions on behalf of the server or escalate privileges.

Mitigation Strategies

To mitigate the Server-Side Request Forgery (SSRF) vulnerability in GitHub Enterprise Server, you should upgrade your instance to one of the fixed versions: 3.20.3, 3.19.7, 3.18.10, 3.17.16, or 3.16.19.

Additionally, ensure that GitHub Packages is disabled if not required, as exploitation requires this feature to be enabled.

For instances not running in private mode, restrict access or require authentication to prevent unauthenticated exploitation.

Compliance Impact

The CVE-2026-8606 vulnerability allows an attacker to infer sensitive environment variables, including signing secrets and private keys, by exploiting a Server-Side Request Forgery (SSRF) flaw in GitHub Enterprise Server. Such exposure of sensitive information could potentially lead to unauthorized access or data breaches.

However, there is no explicit information in the provided context or resources about how this vulnerability directly impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8606. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart