CVE-2026-5921 | GitHub Enterprise Server up to 3.20.0 Notebook Rendering Service server-side request forgery

VDB-358754 · CVE-2026-5921 · GCVE-0-2026-5921 GITHUB ENTERPRISE SERVER UP TO 3.20.0 NOTEBOOK RENDERING SERVICE SERVER-SIDE REQUEST FORGERY HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 7.0 $0-$5k 2.31+ Summaryinfo A vulnerability was found in GitHub Enterprise Server up to 3.20.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Notebook Rendering Service. Such manipulation leads to server-side request forgery. This vulnerability is traded as CVE-2026-5921. The attack may be launched remotely. There is no exploit available. It is suggested to upgrade the affected component. Detailsinfo A vulnerability was found in GitHub Enterprise Server up to 3.20.0 and classified as critical. Affected by this issue is an unknown code of the component Notebook Rendering Service. The manipulation with an unknown input leads to a server-side request forgery vulnerability. Using CWE to declare the problem leads to CWE-918. The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Impacted is confidentiality, integrity, and availability. CVE summarizes: A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program. The weakness was shared by R31n. The advisory is available at docs.github.com. This vulnerability is handled as CVE-2026-5921 since 04/08/2026. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. The technical details are unknown and an exploit is not available. Upgrading to version 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5 or 3.20.1 eliminates this vulnerability. Productinfo Type Bug Tracking Software Vendor GitHub Name Enterprise Server Version 3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.14.0 3.14.1 3.14.2 3.14.3 3.14.4 3.14.5 3.14.6 3.14.7 3.14.8 3.14.9 3.14.10 3.14.11 3.14.12 3.14.13 3.14.14 3.14.15 3.14.16 3.14.17 3.14.18 3.14.19 3.14.20 3.14.21 3.14.22 3.14.23 3.14.24 3.14.25 3.15 3.15.0 3.15.1 3.15.2 3.15.3 3.15.4 3.15.5 3.15.6 3.15.7 3.15.8 3.15.9 3.15.10 3.15.11 3.15.12 3.15.13 3.15.14 3.15.15 3.15.16 3.15.17 3.15.18 3.15.19 3.15.20 3.16 3.16.0 3.16.1 3.16.2 3.16.3 3.16.4 3.16.5 3.16.6 3.16.7 3.16.8 3.16.9 3.16.10 3.16.11 3.16.12 3.16.13 3.16.14 3.16.15 3.16.16 3.17 3.17.0 3.17.1 3.17.2 3.17.3 3.17.4 3.17.5 3.17.6 3.17.7 3.17.8 3.17.9 3.17.10 3.17.11 3.17.12 3.17.13 3.18 3.18.0 3.18.1 3.18.2 3.18.3 3.18.4 3.18.5 3.18.6 3.18.7 3.19 3.19.0 3.19.1 3.19.2 3.19.3 3.19.4 3.20.0 License open-source CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 7.3 VulDB Meta Temp Score: 7.0 VulDB Base Score: 7.3 VulDB Temp Score: 7.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Server-side request forgery CWE: CWE-918 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: Enterprise Server 3.14.26/3.15.21/3.16.17/3.17.14/3.18.8/3.19.5/3.20.1 Timelineinfo 04/08/2026 CVE reserved 04/22/2026 +14 days Advisory disclosed 04/22/2026 +0 days VulDB entry created 04/22/2026 +0 days VulDB entry last update Sourcesinfo Advisory: docs.github.com Researcher: R31n Status: Confirmed CVE: CVE-2026-5921 (🔒) GCVE (CVE): GCVE-0-2026-5921 GCVE (VulDB): GCVE-100-358754 Entryinfo Created: 04/22/2026 07:29 Changes: 04/22/2026 07:29 (69) Complete: 🔍 Cache ID: 99:E63:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸