Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.9

CVE-2026-8034: GitHub Enterprise Server notebook viewer exposes internal services to attackers

CVE-2026-8034
Summary

A security weakness in the GitHub Enterprise Server notebook viewer allows attackers to access internal services on the same network. This could lead to unauthorized access to sensitive data or systems. To fix this issue, update to GitHub Enterprise Server version 3.21 or later.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versions
github enterprise_server < 3.16.18
>= 3.17.0, < 3.17.15
>= 3.18.0, < 3.18.9
>= 3.19.0, < 3.19.6
>= 3.20.0, < 3.20.2
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
Original title
A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confu...
Original description
A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.
nvd CVSS4.0 7.9
Vulnerability type
CWE-436
CWE-918 Server-Side Request Forgery (SSRF)
Published: 7 May 2026 · Updated: 28 May 2026 · First seen: 7 May 2026