{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5921", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "state": "PUBLISHED", "assignerShortName": "GitHub_P", "dateReserved": "2026-04-08T20:59:17.367Z", "datePublished": "2026-04-21T22:11:02.077Z", "dateUpdated": "2026-04-22T13:18:03.644Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2026-04-21T22:11:28.950Z"}, "title": "Server-Side Request Forgery in GitHub Enterprise Server allowed extraction of sensitive environment variables via timing side-channel attack", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-462", "descriptions": [{"lang": "en", "value": "CAPEC-462 Cross-Domain Search Timing"}]}], "affected": [{"vendor": "GitHub", "product": "Enterprise Server", "versions": [{"status": "affected", "version": "3.14.0", "lessThan": "3.14.26", "changes": [{"at": "3.14.26", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.15.0", "lessThan": "3.15.21", "changes": [{"at": "3.15.21", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.16.0", "lessThan": "3.16.17", "changes": [{"at": "3.16.17", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.17.0", "lessThan": "3.17.14", "changes": [{"at": "3.17.14", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.18.0", "lessThan": "3.18.8", "changes": [{"at": "3.18.8", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.19.0", "lessThan": "3.19.5", "changes": [{"at": "3.19.5", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.20.0", "lessThan": "3.20.1", "changes": [{"at": "3.20.1", "status": "unaffected"}], "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services.\u00a0This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services.&nbsp;This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.<br><br>"}]}], "references": [{"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26", "tags": ["release-notes"]}, {"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21", "tags": ["release-notes"]}, {"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17", "tags": ["release-notes"]}, {"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14", "tags": ["release-notes"]}, {"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8", "tags": ["release-notes"]}, {"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5", "tags": ["release-notes"]}, {"url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1", "tags": ["release-notes"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "PROOF_OF_CONCEPT", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.9, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P"}}], "credits": [{"lang": "en", "value": "R31n", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:17:53.690876Z", "id": "CVE-2026-5921", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:18:03.644Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Server-Side Request Forgery in GitHub Enterprise Server allowed extraction of sensitive environment variables via timing side-channel attack", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "R31n"}], "impacts": [{"capecId": "CAPEC-462", "descriptions": [{"lang": "en", "value": "CAPEC-462 Cross-Domain Search Timing"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "GitHub", "product": "Enterprise Server", "versions": [{"status": "affected", "changes": [{"at": "3.14.26", "status": "unaffected"}], "version": "3.14.0", "lessThan": "3.14.26", "versionType": "semver"}, {"status": "affected", "changes": [{"at": "3.15.21", "status": "unaffected"}], "version": "3.15.0", "lessThan": "3.15.21", "versionType": "semver"}, {"status": "affected", "changes": [{"at": "3.16.17", "status": "unaffected"}], "version": "3.16.0", "lessThan": "3.16.17", "versionType": "semver"}, {"status": "affected", "changes": [{"at": "3.17.14", "status": "unaffected"}], "version": "3.17.0", "lessThan": "3.17.14", "versionType": "semver"}, {"status": "affected", "changes": [{"at": "3.18.8", "status": "unaffected"}], "version": "3.18.0", "lessThan": "3.18.8", "versionType": "semver"}, {"status": "affected", "changes": [{"at": "3.19.5", "status": "unaffected"}], "version": "3.19.0", "lessThan": "3.19.5", "versionType": "semver"}, {"status": "affected", "changes": [{"at": "3.20.1", "status": "unaffected"}], "version": "3.20.0", "lessThan": "3.20.1", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26", "tags": ["release-notes"]}, {"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21", "tags": ["release-notes"]}, {"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17", "tags": ["release-notes"]}, {"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14", "tags": ["release-notes"]}, {"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8", "tags": ["release-notes"]}, {"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5", "tags": ["release-notes"]}, {"url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services.\u00a0This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.", "supportingMedia": [{"type": "text/html", "value": "A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services.&nbsp;This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.<br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2026-04-21T22:11:28.950Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5921", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T13:17:53.690876Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-22T13:17:58.169Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-5921", "state": "PUBLISHED", "dateUpdated": "2026-04-21T22:11:28.950Z", "dateReserved": "2026-04-08T20:59:17.367Z", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "datePublished": "2026-04-21T22:11:02.077Z", "assignerShortName": "GitHub_P"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "72A92258-9FCC-41E0-856B-3C2A495575A6", "versionEndExcluding": "3.14.26", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A14A459-881C-437A-88EC-D721E3005329", "versionEndExcluding": "3.15.21", "versionStartIncluding": "3.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B7DCD9A-2CF0-4D96-AA96-ACEC662A8E1F", "versionEndExcluding": "3.16.17", "versionStartIncluding": "3.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "CEC2ADE6-3E31-4889-9A73-B6695FE0AB52", "versionEndExcluding": "3.17.14", "versionStartIncluding": "3.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B15B12E-00A8-48E8-81DE-54506B94A2C5", "versionEndExcluding": "3.18.8", "versionStartIncluding": "3.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "56903EAF-4579-4263-AB0F-863323E7C81A", "versionEndExcluding": "3.19.5", "versionStartIncluding": "3.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:3.20.0:*:*:*:*:*:*:*", "matchCriteriaId": "DCA4F97D-688E-45D2-90C0-8A11E9B531AA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services.\u00a0This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program."}], "id": "CVE-2026-5921", "lastModified": "2026-04-28T20:43:12.443", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "product-cna@github.com", "type": "Secondary"}]}, "published": "2026-04-21T23:16:22.667", "references": [{"source": "product-cna@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26"}, {"source": "product-cna@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21"}, {"source": "product-cna@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17"}, {"source": "product-cna@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14"}, {"source": "product-cna@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8"}, {"source": "product-cna@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5"}, {"source": "product-cna@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"}], "sourceIdentifier": "product-cna@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "product-cna@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.14.0,3.14.26)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.15.0,3.15.21)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.16.0,3.16.17)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.17.0,3.17.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.18.0,3.18.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.19.0,3.19.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.20.0,3.20.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Enterprise Server", "source": "cna", "vendor": "GitHub"}, "product": "enterprise_server", "vendor": "github"}], "analysis": {"en": {"generated_at": "2026-04-22T06:19:21.154083+00:00", "value": {"mitigation_remediation": ["Upgrade the GitHub Enterprise Server to the most recent release that contains the patch (for example, any version 3.21 or newer).", "If an upgrade is not immediately feasible, enable private mode in the notebook viewer to prevent the service from following redirects to internal hosts.", "As an additional temporary countermeasure, restrict or disable open redirect functionality so that the instance cannot be chained to internal services."], "summary": {"action": "Upgrade", "impact": "Sensitive data exposure via SSRF and timing attack"}, "threat_synthesis": {"affected_systems": "The flaw applies to all GitHub Enterprise Server releases prior to v3.21. It was fixed in the following patch releases: 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.08, 3.19.05, and 3.20.01. Users running older versions should check for and apply the latest update that includes this fix.", "description_and_impact": "A server\u2011side request forgery flaw in GitHub Enterprise Server allowed an attacker to perform a timing side\u2011channel attack against the notebook rendering service, extracting sensitive environment variables one character at a time. The vulnerability arises because the notebook viewer follows HTTP redirects without revalidating the destination host when private mode is disabled, permitting an unauthenticated SSRF to internal services. By chaining the instance\u2019s open redirect endpoint through an external redirect, an attacker can query an internal API with regex filters and measure response times to infer environment variable values. This reflects a classic CWE\u2011918 weakness where untrusted input is used to construct internal requests.", "risk_and_exploitability": "The CVSS score of 8.9 indicates a high\u2011severity vulnerability that could lead to the compromise of confidential configuration information. The EPSS score is not available, and the issue is not listed in CISA KEV, but the lack of public exploitation data does not reduce the potential threat for customers who are exposed. The attack requires: private mode disabled, the ability to chain the instance\u2019s open redirect endpoint through an external redirect to an internal service, and a working regex API endpoint. Once these prerequisites are met, an attacker can launch a side\u2011channel attack, steadily revealing sensitive environment variables with a high degree of confidence within a reasonable time frame."}}}}, "created": "2026-04-22T04:30:05.161050+00:00", "updated": "2026-04-22T06:30:10.669216+00:00", "vendors": ["github", "github$PRODUCT$enterprise_server"]}