Description
A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measuring response timing, an attacker could infer the values of sensitive environment variables, including signing secrets and private keys. Exploitation required GitHub Packages to be enabled; on instances not running in private mode the vulnerability was exploitable without authentication, otherwise any authenticated user could exploit it. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. This vulnerability was reported via the GitHub Bug Bounty program.
Published: 2026-05-26
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Server‑Side Request Forgery that allows the GitHub Enterprise Server to send HTTP requests to internal services through the security advisories package lookup feature. By sending crafted URLs, an attacker can force the server to contact internal endpoints and observe timing to infer sensitive configuration values such as signing secrets and private keys. The flaw permits the disclosure of confidential data originating from internal services, potentially enabling further attacks.

Affected Systems

The issue affects all GitHub Enterprise Server releases before version 3.21.1. The CVE references the GitHub Enterprise Server product from GitHub. Patches were released in 3.20.3 through 3.16.19, covering all earlier releases. The affected configuration requires GitHub Packages enabled; instances not running in private mode are exploitable without authentication, while private mode instances allow any authenticated user to exploit the flaw.

Risk and Exploitability

The CVSS score is 7, indicating a high severity. EPSS data are not available, so the likelihood of automated exploitation cannot be quantified, but the flaw is publicly documented and was reported through the bug bounty program. It is not listed in CISA's KEV catalog. Exploitation requires network access to the GitHub Enterprise Server; the attacker can trigger internal requests by submitting a URL to the package lookup endpoint. In environments where GitHub Packages is enabled and the server is reachable, no authentication is needed for public instances, increasing the attack surface. In private‑mode instances, any authenticated user can exploit the SSRF, elevating the risk for internal services. Patch deployment or network isolation reduces risk.

Generated by OpenCVE AI on May 27, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest supported GitHub Enterprise Server release (at least 3.20.3 or later) where the vulnerability is fixed.
  • Disable GitHub Packages on instances that do not require it, or ensure the server runs in private mode to limit user exposure.
  • Configure internal network restrictions so the server cannot reach internal services via outbound HTTP requests, or apply a whitelist to the package lookup endpoint to allow only trusted URLs.
  • Validate and sanitize user‑supplied URLs before processing, following best practices for preventing SSRF.

Generated by OpenCVE AI on May 27, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
cpe:2.3:a:github:enterprise_server:3.21.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github enterprise Server
Vendors & Products Github
Github enterprise Server

Wed, 27 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measuring response timing, an attacker could infer the values of sensitive environment variables, including signing secrets and private keys. Exploitation required GitHub Packages to be enabled; on instances not running in private mode the vulnerability was exploitable without authentication, otherwise any authenticated user could exploit it. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. This vulnerability was reported via the GitHub Bug Bounty program.
Title Server-Side Request Forgery in GitHub Enterprise Server via Advisory Package URL Endpoint
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Github Enterprise Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2026-05-27T13:50:10.475Z

Reserved: 2026-05-14T15:28:24.899Z

Link: CVE-2026-8606

cve-icon Vulnrichment

Updated: 2026-05-27T13:48:32.931Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T00:16:37.900

Modified: 2026-06-01T18:33:07.067

Link: CVE-2026-8606

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T01:30:16Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)