CVE-2026-8034

UNKNOWN 0.0

Server-side request forgery vulnerability in GitHub Enterprise Server notebook viewer via URL parser confusion

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.

CWE	CWE-918 CWE-436
Vendor	github
Product	enterprise server
Ecosystems	DevTools
Industries	Technology
Published	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for github enterprise server

Be the first to know when new unknown vulnerabilities affecting github enterprise server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

GitHub / Enterprise Server

3.16.0 ≤ 3.16.17 3.17.0 ≤ 3.17.14 3.18.0 ≤ 3.18.8 3.19.0 ≤ 3.19.5 3.20.0 ≤ 3.20.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

docs.github.com: https://docs.github.com/en/[email protected]/admin/release-notes#3.16.18 docs.github.com: https://docs.github.com/en/[email protected]/admin/release-notes#3.17.15 docs.github.com: https://docs.github.com/en/[email protected]/admin/release-notes#3.18.9 docs.github.com: https://docs.github.com/en/[email protected]/admin/release-notes#3.19.6 docs.github.com: https://docs.github.com/en/[email protected]/admin/release-notes#3.20.2

Credits

R31n