Cyber Posture

CVE-2026-5921

High

Published: 21 April 2026

Published
21 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 8.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0006 19.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5921 is a high-severity SSRF (CWE-918) vulnerability in Github Enterprise Server. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely application of vendor patches for GitHub Enterprise Server directly remediates the SSRF vulnerability in the notebook rendering service.

SI-10 Information Input Validation good match
prevent

Validates untrusted inputs such as URLs and redirects in the notebook viewer to prevent SSRF to internal services.

AC-4 Information Flow Enforcement good match
prevent

Enforces information flow policies prohibiting the notebook rendering service from accessing internal hosts via untrusted redirects.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
attack.mitre.org →
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
attack.mitre.org →
Why these techniques?

SSRF vuln in public-facing GitHub Enterprise Server enables unauthenticated exploitation of public app (T1190), internal port scanning/reach to services (T1046), and side-channel extraction of env var secrets/credentials via internal API queries (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the…

more

notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.

Deeper analysisAI

CVE-2026-5921 is a server-side request forgery (SSRF) vulnerability in GitHub Enterprise Server, specifically affecting the notebook rendering service. When private mode is disabled, the notebook viewer follows HTTP redirects without revalidating the destination host, enabling unauthenticated SSRF to internal services. Attackers can chain this with regex filter queries against an internal API and exploit timing side-channel differences in response times to extract sensitive environment variables character by character. The vulnerability impacts all versions of GitHub Enterprise Server prior to 3.21 and carries a CVSS v3.1 base score of 8.9 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L), mapped to CWE-918.

An unauthenticated attacker can exploit this vulnerability by leveraging the instance's open redirect endpoint through an external redirect to port-scan or reach internal services. Once SSRF is achieved, the attacker measures response time variations from regex-based queries to infer secret values, such as environment variables, one character at a time. Exploitation requires private mode to be disabled, limiting its scope to misconfigured instances.

Mitigation involves updating to a patched version of GitHub Enterprise Server: 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, or 3.20.1. Detailed release notes for these fixes are available in the GitHub documentation at the following URLs: https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26, https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21, https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17, https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14, and https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8. The issue was reported through the GitHub Bug Bounty program.

Details

CWE(s)
CWE-918

Affected Products

github
enterprise server
3.20.0 · ≤ 3.14.26 · 3.15.0 — 3.15.21 · 3.16.0 — 3.16.17

CVEs Like This One

CVE-2026-0573Same product: Github Enterprise Server
CVE-2026-3854Same product: Github Enterprise Server
CVE-2026-5845Same product: Github Enterprise Server
CVE-2025-23369Same product: Github Enterprise Server
CVE-2024-10001Same product: Github Enterprise Server
CVE-2026-0686Shared CWE-918
CVE-2025-1849Shared CWE-918
CVE-2025-1848Shared CWE-918
CVE-2026-4528Shared CWE-918
CVE-2025-27777Shared CWE-918

References