CVE-2026-5921 Overview
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services.
By chaining this vulnerability with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services.
Critical Impact
Unauthenticated attackers can extract sensitive environment variables including secrets from GitHub Enterprise Server instances with private mode disabled, potentially leading to complete infrastructure compromise.
Affected Products
- GitHub Enterprise Server versions prior to 3.21
- GitHub Enterprise Server versions prior to 3.14.26
- GitHub Enterprise Server versions prior to 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1
Discovery Timeline
- April 21, 2026 - CVE-2026-5921 published to NVD
- April 22, 2026 - Last updated in NVD database
Technical Details for CVE-2026-5921
Vulnerability Analysis
This SSRF vulnerability (CWE-918) exists in the notebook rendering service of GitHub Enterprise Server. The core issue stems from inadequate host validation when the notebook viewer processes HTTP redirects. When private mode is disabled, the service follows redirects without revalidating that the destination host is permitted, allowing requests to be routed to internal services that should not be accessible from external networks.
What makes this vulnerability particularly dangerous is the timing side-channel attack component. An attacker can leverage regex filter queries against an internal API endpoint, and by carefully measuring the response time differences, can infer secret values one character at a time. This technique, while requiring patience, can systematically extract complete secret values from environment variables.
The attack chain requires combining the open redirect endpoint with an external redirect to successfully reach internal services. This multi-step approach bypasses initial security controls that might otherwise block direct access to internal APIs.
Root Cause
The root cause lies in the notebook viewer's redirect handling logic failing to perform host revalidation after following HTTP redirects. When a redirect response is received, the service follows the new location without checking if the destination host is within the allowed list of external hosts. This oversight creates a path from the external-facing notebook viewer to internal services, which should never be accessible from unauthenticated external requests.
Additionally, the internal API's regex filtering functionality creates a timing oracle. Queries that match more characters take measurably longer to process, allowing attackers to determine whether their guessed character is correct based on response timing variations.
Attack Vector
The attack vector is network-based and can be exploited by unauthenticated remote attackers. The attack requires specific conditions to be met:
- Private mode must be disabled - This configuration exposes the vulnerable notebook rendering service
- Open redirect endpoint availability - The attacker must be able to access and abuse the instance's open redirect endpoint
- External redirect capability - The attacker needs an externally-controlled server to chain redirects and ultimately route requests to internal services
The attack proceeds by crafting a malicious notebook request that triggers a redirect chain. The initial request goes through the open redirect endpoint, bounces to an attacker-controlled external server, and then redirects back to an internal service endpoint. Once internal service access is achieved, the attacker issues repeated requests with varying regex patterns, timing each response to extract secret characters incrementally.
Detection Methods for CVE-2026-5921
Indicators of Compromise
- Unusual outbound HTTP requests from the notebook rendering service to external hosts followed by requests to internal service endpoints
- High volume of requests to internal API endpoints with varying regex filter parameters from the same session
- Abnormal patterns of requests with incrementally changing query parameters targeting sensitive configuration endpoints
- Network traffic showing redirect chains that originate from external sources but terminate at internal service addresses
Detection Strategies
- Monitor notebook rendering service logs for requests that follow redirect chains to internal IP addresses or hostnames
- Implement request timing analysis to detect patterns consistent with timing side-channel attacks (many sequential requests with small parameter variations)
- Configure network monitoring to alert on unusual internal API access patterns originating from the notebook service
- Review web server access logs for suspicious redirect patterns involving the open redirect endpoint
Monitoring Recommendations
- Enable detailed logging on the notebook rendering service to capture full redirect chains and destination hosts
- Deploy network-level monitoring to track requests from the notebook service to internal service endpoints
- Set up alerting thresholds for API request rates to internal services that may indicate secret extraction attempts
- Implement response time monitoring on internal APIs to detect potential timing attack patterns
How to Mitigate CVE-2026-5921
Immediate Actions Required
- Upgrade GitHub Enterprise Server to one of the patched versions: 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, or 3.20.1
- Enable private mode on GitHub Enterprise Server instances if not already enabled to reduce the attack surface
- Review network segmentation to ensure internal services are not accessible from the notebook rendering service
- Audit environment variables for sensitive secrets and consider rotating any credentials that may have been exposed
Patch Information
GitHub has released security patches addressing this vulnerability across multiple supported versions of GitHub Enterprise Server. Organizations should upgrade to the appropriate patched version based on their current deployment:
- Version 3.14.x: Upgrade to version 3.14.26
- Version 3.15.x: Upgrade to version 3.15.21
- Version 3.16.x: Upgrade to version 3.16.17
- Version 3.17.x: Upgrade to version 3.17.14
- Version 3.18.x: Upgrade to version 3.18.8
- Version 3.19.x: Upgrade to version 3.19.5
- Version 3.20.x: Upgrade to version 3.20.1
This vulnerability was reported via the GitHub Bug Bounty program.
Workarounds
- Enable private mode on the GitHub Enterprise Server instance to prevent unauthenticated access to the notebook rendering service
- Implement network-level controls to block the notebook rendering service from making requests to internal service endpoints
- Deploy a web application firewall (WAF) rule to detect and block suspicious redirect chains targeting internal addresses
- Consider temporarily disabling the notebook rendering feature if immediate patching is not possible
# Configuration example - Enable private mode on GitHub Enterprise Server
# Access the Management Console and enable private mode
# Or use ghe-config via SSH:
ghe-config app.private-mode true
ghe-config-apply
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
