CVE-2026-8034CRITICAL 9.8EPSS p28.0%

CVE-2026-8034CVE-2026-8034

Description

A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.36% probability of exploitation · percentile 28.0% · 2026-06-19T12:03:05Z
Published2026-05-07
Last modified2026-05-11

Underlying weaknesses· 2

CWE-436CWE-918

References

  1. https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18
  2. https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15
  3. https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9
  4. https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6
  5. https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2

2

TypeTargetConfidenceTier
WeaknessInterpretation Conflictcwe-4360%live
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-9312
CVE
CVE-2026-5921
CVE
CVE-2026-8606
CVE
CVE-2026-0573
CVE
CVE-2026-4296
CVE
CVE-2025-23369
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.