CVE-2026-5921 is a server-side request forgery vulnerability in GitHub Enterprise Server's notebook rendering service. When private mode is disabled, the notebook viewer does not revalidate the destination host after HTTP redirects, allowing unauthenticated SSRF attacks to internal services. Attackers can chain this SSRF with regex filter queries against an internal API and use timing side-channel techniques to extract sensitive environment variables character by character. This vulnerability affects all GitHub Enterprise Server versions before 3.21 and was addressed in multiple patch releases starting from 3.14.26 onwards. Exploitation requires private mode to be disabled and the ability to leverage the instance's open redirect endpoint through an external redirect.

An attacker can extract sensitive environment variables from the GitHub Enterprise Server instance without authentication by exploiting SSRF and timing side-channel attacks. This could lead to disclosure of secrets that may compromise the confidentiality and integrity of the server environment. The vulnerability has a CVSS 4.0 score of 8.9 (high severity), indicating significant impact if exploited. There are no known exploits in the wild at the time of publication.

This vulnerability has been fixed in GitHub Enterprise Server versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. Users should upgrade to one of these fixed versions or later to remediate the issue. Since the vendor advisory does not specify any temporary or alternative mitigations, patching is the recommended action. Private mode being enabled also prevents exploitation, so ensuring private mode is enabled can mitigate risk until patching is applied.