CVE-2026-1999 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918 affecting GitHub Enterprise Server prior to version 3.20. SSRF vulnerabilities allow attackers to induce the server to make HTTP requests to arbitrary internal or external resources. In this case, an authenticated user with permissions to configure webhooks—such as repository administrators, organization administrators, or GitHub App administrators—can exploit this flaw to send crafted requests to internal services bound to loopback (127.0.0.1) or unspecified addresses. This can lead to unauthorized access to sensitive internal endpoints, including administrative interfaces, metrics, profiling data, and job queue management APIs. Such access can disrupt background job processing or allow attackers to manipulate internal server state. The vulnerability does not require user interaction beyond authentication and leverages the server’s trust in internal network boundaries. The CVSS v4.0 score is 7.2 (high severity), reflecting network attack vector, low attack complexity, no user interaction, and limited privileges required. The vulnerability was responsibly disclosed via the GitHub Bug Bounty program and fixed in patch releases 3.14.22, 3.15.17, 3.16.13, 3.17.10, 3.18.4, and 3.19.1. No public exploits or active exploitation have been reported to date.

The impact of CVE-2026-1999 is significant for organizations using vulnerable versions of GitHub Enterprise Server. An attacker with webhook configuration privileges can bypass network segmentation controls to access internal services that are normally inaccessible externally. This can lead to unauthorized disclosure of sensitive administrative data, metrics, and profiling information, potentially exposing operational details and vulnerabilities. Additionally, manipulation of job queues and disruption of background processing can degrade service availability and reliability. Since GitHub Enterprise Server is widely used by enterprises for source code management and CI/CD workflows, exploitation could compromise software development pipelines, leading to potential code integrity issues or delays in deployment. The requirement for authenticated access limits exposure to insider threats or compromised accounts with elevated permissions. However, given the critical role of GitHub Enterprise Server in software development lifecycles, the risk to confidentiality, integrity, and availability is high if exploited.

To mitigate CVE-2026-1999, organizations should immediately upgrade GitHub Enterprise Server to one of the patched versions: 3.14.22, 3.15.17, 3.16.13, 3.17.10, 3.18.4, or 3.19.1, or later. Beyond patching, organizations should audit and restrict webhook configuration permissions to the minimum necessary users, ideally limiting this capability to trusted administrators. Implement network segmentation and firewall rules to restrict internal service accessibility even from the GitHub server itself, reducing the impact of SSRF attempts. Monitor logs for unusual webhook configuration changes or internal requests originating from GitHub Enterprise Server. Employ multi-factor authentication and strong access controls to reduce the risk of compromised accounts with elevated privileges. Regularly review and harden internal administrative endpoints and job queue management interfaces to require additional authentication or authorization. Finally, maintain an incident response plan that includes detection and remediation steps for SSRF exploitation attempts.