CVE-2026-8606

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.21.1

Description A Server-Side Request Forgery (SSRF) allows an attacker to force the server to send HTTP requests to internal services through the security advisories package lookup feature. By targeting an internal management service and analyzing response timing, an attacker can infer sensitive environment variables, such as private keys and signing secrets. This issue requires GitHub Packages to be enabled. On instances not operating in private mode, the flaw is exploitable without authentication; otherwise, it requires an authenticated user.

Recommendations Update to version 3.21.1 or later. Update to version 3.20.3. Update to version 3.19.7. Update to version 3.18.10. Update to version 3.17.16. Update to version 3.16.19. As a temporary mitigation, disable GitHub Packages to prevent exploitation.