CVE-2026-8034: CWE-918 Server-Side request forgery (SSRF) in GitHub Enterprise Server
CVE-2026-8034 is a server-side request forgery (SSRF) vulnerability in GitHub Enterprise Server's notebook viewer. It arises from a mismatch between the URL parser used for hostname validation and the one used by the HTTP request library, allowing crafted URLs to bypass validation and access unintended internal hosts. This affects all GitHub Enterprise Server versions prior to 3. 21. The vulnerability requires network access to the server instance to be exploited. It was fixed in versions 3. 16. 18, 3. 17. 15, 3.
AI Analysis
Technical Summary
This vulnerability involves SSRF in GitHub Enterprise Server's notebook viewer component due to inconsistent URL parsing between validation and request handling. An attacker with network access to the server can craft URLs that pass hostname validation but redirect requests to internal services, potentially exposing sensitive internal resources. The issue affects versions 3.16.0 through 3.20.0 and was addressed by GitHub in subsequent patch releases. The CVSS 4.0 score is 7.9, indicating high severity with network attack vector, low attack complexity, and no required privileges or user interaction.
Potential Impact
Successful exploitation allows an attacker with network access to the GitHub Enterprise Server instance to make the server perform HTTP requests to unintended internal hosts. This could lead to unauthorized access to internal services that are otherwise inaccessible externally. The vulnerability does not require authentication or user interaction, increasing its risk within accessible network environments. However, no known exploits have been reported in the wild.
Mitigation Recommendations
A fix is available and has been released in GitHub Enterprise Server versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. Users should upgrade to one of these patched versions or later to remediate this vulnerability. Since this is not a cloud service, remediation depends on applying these updates. Patch status is confirmed by the vendor advisory embedded in the description.
CVE-2026-8034: CWE-918 Server-Side request forgery (SSRF) in GitHub Enterprise Server
Description
CVE-2026-8034 is a server-side request forgery (SSRF) vulnerability in GitHub Enterprise Server's notebook viewer. It arises from a mismatch between the URL parser used for hostname validation and the one used by the HTTP request library, allowing crafted URLs to bypass validation and access unintended internal hosts. This affects all GitHub Enterprise Server versions prior to 3. 21. The vulnerability requires network access to the server instance to be exploited. It was fixed in versions 3. 16. 18, 3. 17. 15, 3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves SSRF in GitHub Enterprise Server's notebook viewer component due to inconsistent URL parsing between validation and request handling. An attacker with network access to the server can craft URLs that pass hostname validation but redirect requests to internal services, potentially exposing sensitive internal resources. The issue affects versions 3.16.0 through 3.20.0 and was addressed by GitHub in subsequent patch releases. The CVSS 4.0 score is 7.9, indicating high severity with network attack vector, low attack complexity, and no required privileges or user interaction.
Potential Impact
Successful exploitation allows an attacker with network access to the GitHub Enterprise Server instance to make the server perform HTTP requests to unintended internal hosts. This could lead to unauthorized access to internal services that are otherwise inaccessible externally. The vulnerability does not require authentication or user interaction, increasing its risk within accessible network environments. However, no known exploits have been reported in the wild.
Mitigation Recommendations
A fix is available and has been released in GitHub Enterprise Server versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. Users should upgrade to one of these patched versions or later to remediate this vulnerability. Since this is not a cloud service, remediation depends on applying these updates. Patch status is confirmed by the vendor advisory embedded in the description.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_P
- Date Reserved
- 2026-05-06T13:06:48.690Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fd095dcbff5d86103c851d
Added to database: 5/7/2026, 9:51:25 PM
Last enriched: 5/7/2026, 10:06:21 PM
Last updated: 5/7/2026, 11:04:46 PM
Views: 76
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.