Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.
AnalysisAI
Server-side request forgery in GitHub Enterprise Server's notebook viewer enables remote unauthenticated attackers to access internal services and systems through URL parser confusion. The vulnerability exploits discrepancies between validation and request execution parsers, allowing crafted URLs to bypass hostname checks and target unintended internal hosts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network access to the GitHub Enterprise Server instance and the ability to trigger notebook viewing functionality. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This vulnerability presents significant real-world risk for organizations running GitHub Enterprise Server in environments with sensitive internal services. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An external attacker identifies a GitHub Enterprise Server instance and crafts a malicious notebook containing specially encoded URLs designed to exploit parser confusion. When the notebook viewer processes this content, the validation layer interprets the URL as pointing to an approved external resource, but the HTTP request library parses it to target an internal service such as the cloud metadata endpoint (169.254.169.254) or internal API server. … |
| Remediation | Upgrade GitHub Enterprise Server to patched versions: 3.16.18, 3.17.15, 3.18.9, 3.19.6, or 3.20.2 depending on current release branch, or migrate to version 3.21.0 or later. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all GitHub Enterprise Server instances and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Enterprise Server
View allServer-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issui
URL redirection vulnerability in GitHub Enterprise Server allows attacker-controlled redirects through crafted URLs, pot
Remote code execution in GitHub Enterprise Server allows authenticated users with repository push access to execute arbi
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scr
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an
A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute
An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to byp
An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server
GitHub Enterprise Server allows authenticated webhook administrators to bypass network restrictions through Server-Side
Here is the multi-source synthesis for CVE-2026-8606: ```json { "product_name": "GitHub Enterprise Server", "summar
GitHub Enterprise Server versions before 3.20 contain an authorization bypass in the repository migration upload endpoin
Stored cross-site scripting in GitHub Enterprise Server's Q&A Discussion feature allows an authenticated attacker to exe
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28464
GHSA-w548-vv26-rff6