Description
A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.
Published: 2026-05-07
Score: 7.9 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the GitHub Enterprise Server notebook viewer, where the hostname validation uses a different URL parser than the HTTP request library. This mismatch allows a crafted URL to pass validation while directing the server to an unintended internal host, resulting in a server‑side request forgery. An attacker can cause the instance to fetch data from any internal endpoint, potentially exfiltrating sensitive information and compromising confidentiality.

Affected Systems

GitHub Enterprise Server releases prior to 3.21 are affected. All versions up to 3.20, including 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2, have been patched. Any GitHub Enterprise Server installation running those earlier versions is considered exposed.

Risk and Exploitability

The CVSS base score of 7.9 signals a high‑severity SSRF that can allow attackers to access internal resources. The EPSS score is not available, and the vulnerability is not yet listed in CISA KEV, indicating no widely reported exploitation. Exploitation requires network access to the GitHub Enterprise Server instance and use of the notebook viewer feature. Once the attacker submits a crafted URL, the server can reach arbitrary internal hosts, enabling unauthorized data access.

Generated by OpenCVE AI on May 7, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched GitHub Enterprise Server release (3.16.18, 3.17.15, 3.18.9, 3.19.6, 3.20.2, or later).
  • If an upgrade cannot be performed immediately, disable or restrict access to the notebook viewer feature for all users.
  • Apply network segmentation or firewall rules to block outbound requests from the GitHub Enterprise Server to internal hosts that should not be reachable.

Generated by OpenCVE AI on May 7, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github enterprise Server
Vendors & Products Github
Github enterprise Server

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.
Title Server-side request forgery vulnerability in GitHub Enterprise Server notebook viewer via URL parser confusion
Weaknesses CWE-436
CWE-918
References
Metrics cvssV4_0

{'score': 7.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Github Enterprise Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2026-05-07T21:18:49.812Z

Reserved: 2026-05-06T13:06:48.690Z

Link: CVE-2026-8034

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T22:16:37.230

Modified: 2026-05-07T22:16:37.230

Link: CVE-2026-8034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:30:36Z

Weaknesses