CVE-2026-8606
Server-Side Request Forgery in GitHub Enterprise Server
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc. (Products Only)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| github | enterprise_server | to 3.21.1 (exc) |
| github | enterprise_server | 3.20.3 |
| github | enterprise_server | 3.19.7 |
| github | enterprise_server | 3.18.10 |
| github | enterprise_server | 3.17.16 |
| github | enterprise_server | 3.16.19 |
| github | enterprise_server | 3.19.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8606 is a Server-Side Request Forgery (SSRF) vulnerability in GitHub Enterprise Server. It allows an attacker to make the server send HTTP requests to internal services using the security advisories package lookup feature.
By directing requests to an internal management service and analyzing response timing, the attacker can infer sensitive environment variables such as signing secrets and private keys.
Exploitation requires GitHub Packages to be enabled. If the instance is not running in private mode, the vulnerability can be exploited without authentication; otherwise, any authenticated user can exploit it.
This vulnerability affects all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to access internal services that are normally protected from external access.
By exploiting the SSRF flaw, an attacker can infer sensitive environment variables including signing secrets and private keys, which could lead to further compromise of the system.
If exploited, it could result in unauthorized access to sensitive data and potentially allow attackers to perform actions on behalf of the server or escalate privileges.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Server-Side Request Forgery (SSRF) vulnerability in GitHub Enterprise Server, you should upgrade your instance to one of the fixed versions: 3.20.3, 3.19.7, 3.18.10, 3.17.16, or 3.16.19.
Additionally, ensure that GitHub Packages is disabled if not required, as exploitation requires this feature to be enabled.
For instances not running in private mode, restrict access or require authentication to prevent unauthenticated exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-8606 vulnerability allows an attacker to infer sensitive environment variables, including signing secrets and private keys, by exploiting a Server-Side Request Forgery (SSRF) flaw in GitHub Enterprise Server. Such exposure of sensitive information could potentially lead to unauthorized access or data breaches.
However, there is no explicit information in the provided context or resources about how this vulnerability directly impacts compliance with common standards and regulations such as GDPR or HIPAA.