Server-Side Request Forgery in GitHub Enterprise Server
CVE-2026-8606

7HIGH

Key Information:

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-8606?

A Server-Side Request Forgery (SSRF) vulnerability was found in GitHub Enterprise Server, which allows attackers to manipulate the server into making HTTP requests to internal services. By exploiting the security advisories package lookup feature, a malicious actor could measure response times to infer sensitive information such as signing secrets and private keys. This issue can arise in environments where GitHub Packages are enabled. It affects all versions of GitHub Enterprise Server prior to 3.21.1 and has been patched in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. Notably, in instances not running in private mode, the vulnerability is exploitable without authentication, making it critical for users to update to secure versions promptly.

Affected Version(s)

Enterprise Server 3.21.0 < 3.21.1

Enterprise Server 3.20.0 <= 3.20.2

Enterprise Server 3.19.0 <= 3.19.6

References

https://docs.github.com/en/enterprise-server@3.21/admin/r...

release-notes

https://docs.github.com/en/enterprise-server@3.20/admin/r...

release-notes

https://docs.github.com/en/enterprise-server@3.19/admin/r...

release-notes

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 14, 2026

Credit

R31n

CVE-2026-8606 Data

JSON

Github

What is CVE-2026-8606?

Affected Version(s)

References

CVSS V4

Timeline

Credit