CVE-2026-8606
5.9 MEDIUMA Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the serve...
Published: 2026-05-27 · Last updated: 2026-06-01
Severity and scoring
- CVSS
- 5.9 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-918
Affected products
| Vendor | Product |
|---|---|
| github | enterprise_server |
Description
A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measuring response timing, an attacker could infer the values of sensitive environment variables, including signing secrets and private keys. Exploitation required GitHub Packages to be enabled; on instances not running in private mode the vulnerability was exploitable without authentication, otherwise any authenticated user could exploit it. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. This vulnerability was reported via the GitHub Bug Bounty program.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8606
- [Other]https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.19
- [Other]https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.16
- [Other]https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.10
- [Other]https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.7
- [Other]https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.3
- [Other]https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.1
Related CVEs
Same vendor
- CVE-2026-48501 — GitHub CLI (gh) is GitHub’s official command line tool (7.4 HIGH)
- CVE-2026-9312 — A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to... (8.2 HIGH)
- CVE-2026-45803 — `gh` is GitHub’s official command line tool (3.5 LOW)
- CVE-2026-45033 — GitHub Copilot CLI brings AI-powered coding assistance directly to your command line (7.8 HIGH)
- CVE-2026-29783 — The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash ... (7.8 HIGH)
Same CWE
- CVE-2026-50131 — Fedify is a TypeScript library for building federated server apps powered by ActivityPub (8.6 HIGH)
- CVE-2026-50127 — Weblate is a web based localization tool (5.9 MEDIUM)
- CVE-2026-46683 — Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page
- CVE-2026-20252 — In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.1... (7.6 HIGH)
- CVE-2026-48858 — Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvali...