CVE-2026-8606
Description
A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measuring response timing, an attacker could infer the values of sensitive environment variables, including signing secrets and private keys. Exploitation required GitHub Packages to be enabled; on instances not running in private mode the vulnerability was exploitable without authentication, otherwise any authenticated user could exploit it. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. This vulnerability was reported via the GitHub Bug Bounty program.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An SSRF vulnerability in GitHub Enterprise Server's security advisories package lookup allows attackers to infer sensitive environment variables via timing side-channel attacks.
Vulnerability
A Server-Side Request Forgery (SSRF) vulnerability exists in the security advisories package lookup feature of GitHub Enterprise Server. The package URL endpoint did not validate the supplied package name, enabling SSRF to internal services. This affects all versions prior to 3.21.1, with fixes in 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19 [1][2][3][4]. Exploitation requires GitHub Packages to be enabled. On instances not running in private mode, the vulnerability is exploitable without authentication; otherwise, any authenticated user can exploit it.
Exploitation
An attacker can send a crafted request to the security advisories package lookup endpoint, specifying a malicious package name that causes the server to issue an HTTP request to an internal management service. By measuring the response timing of these requests, the attacker can infer the values of sensitive environment variables, including signing secrets and private keys.
Impact
Successful exploitation allows an attacker to extract sensitive environment variables containing signing secrets and private keys. This information disclosure could lead to further compromise of the GitHub Enterprise Server instance and its data.
Mitigation
The vulnerability is fixed in GitHub Enterprise Server versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19 [1][2][3][4]. The affected endpoint has been removed from the server. Administrators should upgrade to one of these versions or later. There are no known workarounds.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <3.21.1
- Range: <3.21.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- docs.github.com/en/enterprise-server@3.16/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.17/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.18/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.19/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.20/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.21/admin/release-notesnvd
News mentions
0No linked articles in our index yet.