Server-Side Request Forgery Vulnerability in GitHub Enterprise Server
CVE-2026-5921

8.9HIGH

Key Information:

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-5921?

A server-side request forgery (SSRF) vulnerability was discovered in GitHub Enterprise Server, enabling attackers to exploit a flaw within the notebook rendering service. When private mode is disabled, the service fails to validate HTTP redirects, hence allowing unauthenticated access to internal services. By leveraging timing side-channel attacks and regex filters against internal APIs, attackers can deduce sensitive information character by character based on response time disparities. This issue affects all GitHub Enterprise Server versions earlier than 3.21 and poses significant risks if private mode is compromised.

Affected Version(s)

Enterprise Server 3.14.0

Enterprise Server 3.14.0 < 3.14.26

Enterprise Server 3.15.0 < 3.15.21

References

https://docs.github.com/en/enterprise-server@3.14/admin/r...

release-notes

https://docs.github.com/en/enterprise-server@3.15/admin/r...

release-notes

https://docs.github.com/en/enterprise-server@3.16/admin/r...

release-notes

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

R31n

CVE-2026-5921 Data

JSON

Github

What is CVE-2026-5921?

Affected Version(s)

References

CVSS V4

Timeline

Credit