PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8606 GitHub CVE debrief

A Server-Side Request Forgery (SSRF) vulnerability in GitHub Enterprise Server's security advisories package lookup feature allowed attackers to direct HTTP requests to internal services. By targeting an internal management service and analyzing response timing, attackers could infer sensitive environment variable values including signing secrets and private keys. The vulnerability required GitHub Packages to be enabled. On non-private mode instances, exploitation was possible without authentication; otherwise, any authenticated user could exploit it. The issue affected all versions prior to 3.21.1 and was resolved in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. The vulnerability was reported through the GitHub Bug Bounty program.

Vendor
GitHub
Product
Enterprise Server
CVSS
HIGH 7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running GitHub Enterprise Server with GitHub Packages enabled, particularly those in non-private mode or with exposure to untrusted authenticated users. Security teams responsible for secrets management and infrastructure segmentation. Organizations with GitHub Enterprise Server instances that can reach internal management services.

Technical summary

The vulnerability exists in the security advisories package lookup feature of GitHub Enterprise Server. When GitHub Packages is enabled, the feature accepts package identifiers that can trigger server-side HTTP requests. An attacker can supply crafted input causing the server to issue requests to internal management services. By measuring response timing differences, the attacker can perform a side-channel attack to infer values of sensitive environment variables including signing secrets and private keys. The attack complexity is high due to the timing-based inference requirement, but the impact to subsequent systems is rated high for confidentiality. The vulnerability is exploitable without authentication on instances not running in private mode; authenticated access is required on private mode instances.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade GitHub Enterprise Server to a fixed version (3.21.1, 3.20.3, 3.19.7, 3.18.10, 3.17.16, or 3.16.19) as documented in official release notes
  • If immediate patching is not possible, consider disabling GitHub Packages if not required for operations
  • Review access logs for unusual requests to internal management services from the GitHub Enterprise Server instance
  • Monitor for anomalous timing patterns in responses from internal services that could indicate attempted secret inference
  • Verify instance private mode configuration; non-private mode instances face higher risk due to unauthenticated exploitation possibility
  • Conduct audit of environment variables and secrets that may have been exposed, particularly signing secrets and private keys
  • Review and rotate potentially compromised credentials if exploitation is suspected
  • Ensure network segmentation prevents GitHub Enterprise Server from reaching sensitive internal management services

Evidence notes

CVE description confirms SSRF via security advisories package lookup feature with timing-based inference of secrets. CVSS 4.0 vector indicates network attack vector, high attack complexity, present threat intelligence, no privileges required, no user interaction, low confidentiality impact to vulnerable component, high confidentiality impact to subsequent systems. CWE-918 (Server-Side Request Forgery) identified. Fix versions confirmed across 3.16.19 through 3.21.1.

Official resources

2026-05-27T00:16:37.900Z