Server-Side Request Forgery Vulnerability in GitHub Enterprise Server
CVE-2026-8034

7.9HIGH

Key Information:

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-8034?

A server-side request forgery (SSRF) vulnerability has been discovered in GitHub Enterprise Server's notebook viewer, enabling potential attackers to access internal services. The issue arises from a discrepancy between the validation layer and the HTTP request library, resulting in hostname validation utilizing a distinct URL parser. Consequently, an attacker can manipulate a crafted URL to bypass validation and redirect the request to an unintended internal host. Exploitation of this vulnerability requires network access to the affected GitHub Enterprise Server instance. This flaw impacts all versions prior to 3.21 but has been resolved in later releases.

Affected Version(s)

Enterprise Server 3.16.0 <= 3.16.17

Enterprise Server 3.17.0 <= 3.17.14

References

https://docs.github.com/en/enterprise-server@3.16/admin/r...

release-notes

https://docs.github.com/en/enterprise-server@3.17/admin/r...

release-notes

https://docs.github.com/en/enterprise-server@3.18/admin/r...

release-notes

CVSS V4

Score:

7.9

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
May 6, 2026

Credit

R31n

CVE-2026-8034 Data

JSON

Github

What is CVE-2026-8034?

Affected Version(s)

References

CVSS V4

Timeline

Credit