Patches SSRF timing side-channel secret leak in GitHub Enterprise Server
TL;DR — A High-severity unauthenticated SSRF in GitHub Enterprise Server’s notebook rendering flow can be chained with a timing side-channel to extract sensitive environment variables when private mode is disabled.
What happened
GitHub Enterprise Server (GHES) is GitHub’s self-hosted appliance used by enterprises to run source code hosting, CI/CD integrations, and security workflows inside their own networks.
In the April 21, 2026 GHES patch releases, GitHub disclosed a High-severity issue (CVE-2026-5921) where an attacker could extract sensitive environment variables via a timing side-channel against the notebook rendering service. GitHub’s release notes describe that when private mode was disabled, the notebook viewer could follow HTTP redirects without revalidating the destination host, enabling unauthenticated SSRF to internal services; by measuring response-time differences, an attacker could infer secret values character-by-character. GitHub notes the issue was reported via the GitHub Bug Bounty program.
This matters operationally because SSRF remains one of the most reliable ways to pivot from “web request” to “internal service reachability,” and timing side-channels turn “some internal access” into incremental secret extraction — a dangerous combination for high-trust developer platforms.
Who is impacted
- Organizations running GitHub Enterprise Server with private mode disabled.
- Instances that have not yet applied the GHES patch release for their deployed release line.
| GHES release line | Fixed release (per release notes) | Release date (per release notes) |
|---|---|---|
| 3.20 | 3.20.1 | 2026-04-21 |
| 3.19 | 3.19.5 | 2026-04-21 |
| 3.18 | 3.18.8 | 2026-04-21 |
| 3.17 | 3.17.14 | 2026-04-21 |
| 3.16 | 3.16.17 | 2026-04-21 |
| 3.15 | 3.15.21 | 2026-04-21 |
| 3.14 | 3.14.26 | 2026-04-21 |
What to do now
- Follow vendor remediation guidance and apply the patched GHES release for your deployed release line.
This is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
- Confirm whether private mode is disabled in any GHES environment (prod, staging, DR) and treat those instances as higher-risk until patched.
- Review instance access paths and exposure assumptions: SSRF impact increases materially when GHES can reach sensitive internal services.
- If compromise is suspected, prioritize review of logs/telemetry around notebook viewing/rendering requests and rotate secrets that could be present in environment variables accessible to the appliance.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.