Description
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.
Published: 2026-04-21
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure via SSRF and timing attack
Action: Upgrade
AI Analysis

Impact

A server‑side request forgery flaw in GitHub Enterprise Server allowed an attacker to perform a timing side‑channel attack against the notebook rendering service, extracting sensitive environment variables one character at a time. The vulnerability arises because the notebook viewer follows HTTP redirects without revalidating the destination host when private mode is disabled, permitting an unauthenticated SSRF to internal services. By chaining the instance’s open redirect endpoint through an external redirect, an attacker can query an internal API with regex filters and measure response times to infer environment variable values. This reflects a classic CWE‑918 weakness where untrusted input is used to construct internal requests.

Affected Systems

The flaw applies to all GitHub Enterprise Server releases prior to v3.21. It was fixed in the following patch releases: 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.08, 3.19.05, and 3.20.01. Users running older versions should check for and apply the latest update that includes this fix.

Risk and Exploitability

The CVSS score of 8.9 indicates a high‑severity vulnerability that could lead to the compromise of confidential configuration information. The EPSS score is not available, and the issue is not listed in CISA KEV, but the lack of public exploitation data does not reduce the potential threat for customers who are exposed. The attack requires: private mode disabled, the ability to chain the instance’s open redirect endpoint through an external redirect to an internal service, and a working regex API endpoint. Once these prerequisites are met, an attacker can launch a side‑channel attack, steadily revealing sensitive environment variables with a high degree of confidence within a reasonable time frame.

Generated by OpenCVE AI on April 22, 2026 at 06:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GitHub Enterprise Server to the most recent release that contains the patch (for example, any version 3.21 or newer).
  • If an upgrade is not immediately feasible, enable private mode in the notebook viewer to prevent the service from following redirects to internal hosts.
  • As an additional temporary countermeasure, restrict or disable open redirect functionality so that the instance cannot be chained to internal services.

Generated by OpenCVE AI on April 22, 2026 at 06:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github enterprise Server
Vendors & Products Github
Github enterprise Server

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.
Title Server-Side Request Forgery in GitHub Enterprise Server allowed extraction of sensitive environment variables via timing side-channel attack
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P'}

Subscriptions

Github Enterprise Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2026-04-22T13:18:03.644Z

Reserved: 2026-04-08T20:59:17.367Z

Link: CVE-2026-5921

cve-icon Vulnrichment

Updated: 2026-04-22T13:17:58.169Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T23:16:22.667

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-5921

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:30:10Z

Weaknesses