Critical GitHub RCE Flaw: CVE-2026-3854 (CVSS 8.7) Uncovered
Introduction
Cybersecurity researchers have recently detailed a critical remote code execution (RCE) vulnerability impacting GitHub.com and GitHub Enterprise Server. This flaw, identified as CVE-2026-3854, carries a CVSS score of 8.7 and permits an authenticated user to achieve arbitrary code execution on the server. The exploit can be triggered with a single git push command.
The discovery of CVE-2026-3854 shows a significant risk because it affects how user-supplied inputs are processed by internal systems. This vulnerability demonstrates the complex challenges in securing widely used platforms central to the software supply chain. Organizations relying on GitHub for code hosting and collaboration must understand the technical details and implement necessary mitigations promptly.
The issue was identified by Wiz, a cloud security firm, and promptly addressed by GitHub for its cloud services. Self-hosted GitHub Enterprise Server instances, however, require manual updates to eliminate the exposure. Understanding such vulnerabilities is crucial for effective strategies for breach detection and maintaining secure development practices.
What is CVE-2026-3854 and why is it critical?
CVE-2026-3854 is a command injection vulnerability affecting GitHub's internal processing of git push operations. It is critical because an attacker with push access to a repository can achieve remote code execution on the GitHub instance. This grants unauthorized control over the affected system.
The core of the problem stems from insufficient sanitization of user-supplied git push option values. These values were incorporated into internal service headers, specifically the X-Stat header, without proper validation. The internal metadata format utilizes a semicolon as a delimiter, a character that can also be present in user input. This overlap allowed an attacker to inject additional metadata fields, manipulating the system's interpretation of the header.
This type of vulnerability, where user input manipulates command execution, is a common source of critical flaws. Such issues demonstrate the importance of scrutinizing all data paths, especially when integrating multiple services or languages, as discussed in our analysis of software supply chain vulnerabilities.
Vulnerability Details
The CVE-2026-3854 vulnerability originates from a command injection within the Git push pipeline. When an authenticated user performs a git push operation, git push --push-option= allows the user to supply custom options. These user-provided strings were not adequately sanitized before being included in the internal X-Stat header.
The internal header format uses semicolons to delimit metadata fields. An attacker could craft a push option value containing a semicolon, effectively injecting new, unauthorized metadata fields into the header. This injection bypasses expected parsing logic.
Specifically, the vulnerability affects the following GitHub products:
- GitHub.com
- GitHub Enterprise Cloud
- GitHub Enterprise Cloud with Data Residency
- GitHub Enterprise Cloud with Enterprise Managed Users
- GitHub Enterprise Server
GitHub has issued advisories and deployed fixes for its cloud services. For GitHub Enterprise Server, the fix is included in versions:
- 3.14.25
- 3.15.20
- 3.16.16
- 3.17.13
- 3.18.8
- 3.19.4
- 3.20.0
- Or later versions.
The issue was discovered and reported by Wiz on March 4, 2026. GitHub promptly validated the report and deployed a fix to GitHub.com within two hours of receiving the disclosure.
Exploitation and Impact
Exploiting CVE-2026-3854 is described as relatively simple, requiring only push access to a repository. Wiz researchers demonstrated a remote code execution chain that combines multiple injections to achieve arbitrary command execution as the git user. This chain bypasses sandboxing protections normally in place.
The exploitation chain proceeds as follows:
- Inject a non-production
rails_envvalue andcustom_hooks_dir: This bypasses the sandbox environment configured for hook execution by altering therails_envvalue, forcing the system to operate in a less restricted context. It also redirects the hook directory, allowing the attacker to control where the system looks for custom hooks and enabling malicious scripts. - Inject
repo_pre_receive_hookswith a crafted hook entry: This final injection triggers a path traversal vulnerability. The crafted hook entry executes arbitrary commands using the elevated privileges of thegituser.
On GitHub Enterprise Server (GHES) instances, this sequence grants full control over the instance. This includes filesystem read/write access and visibility into internal service configurations. Such access can lead to significant data exfiltration or system compromise, impacting the integrity of the code repositories and underlying infrastructure.
For GitHub.com, the enterprise mode flag, which defaults to false (making the custom hooks path inactive), is also passed in the X-Stat header. This flag is also injectable using the same mechanism, leading to code execution on GitHub.com. Given GitHub's multi-tenant architecture and shared backend infrastructure, obtaining code execution on GitHub.com enabled cross-tenant exposure. This allows an attacker to potentially read millions of repositories on a shared storage node, irrespective of the organization or user. This level of access poses a severe threat to data confidentiality across the entire platform. This scenario is comparable to other critical RCE vulnerabilities that may cause widespread arbitrary code execution, such as those discussed in our analysis of critical Adobe RCE flaws.
There is no evidence that CVE-2026-3854 was ever exploited maliciously prior to its public disclosure. However, at the time of public disclosure, approximately 88% of GitHub Enterprise Server instances were still vulnerable.
Mitigation and Patches
Applying the available updates for CVE-2026-3854 is the primary and most effective mitigation. GitHub promptly addressed the vulnerability on GitHub.com. For GitHub Enterprise Server users, immediate action is necessary.
Organizations operating GitHub Enterprise Server must update their instances to a patched version. The vulnerability is addressed in versions:
- 3.14.25
- 3.15.20
- 3.16.16
- 3.17.13
- 3.18.8
- 3.19.4
- 3.20.0
- Or any subsequent release.
Beyond patching, organizations should implement stringent security practices. This includes regularly auditing user-controlled input flows through internal protocols, especially where security-critical configurations are derived from shared data formats. This proactive approach helps identify similar logic flaws that could lead to command injection or other forms of arbitrary code execution.
Regular supply-chain risk monitoring is also essential, given that platforms like GitHub are integral components of the software development supply chain. Implementing strong dark web monitoring services and underground forum intelligence can provide early warnings of discussions or attempts to exploit such vulnerabilities, even before official disclosures.
Technical Takeaways
- CVE-2026-3854 is a critical remote code execution (RCE) flaw (CVSS 8.7) affecting GitHub.com and GitHub Enterprise Server.
- The vulnerability is a command injection flaw exploitable by an authenticated user via a single
git pushcommand. - Root cause: improper sanitization of user-supplied
git pushoptions within internalX-Statheaders. - Exploitation involves chaining multiple injections to bypass sandboxing and execute arbitrary commands as the
gituser. - Impact includes full control over GitHub Enterprise Server instances and cross-tenant repository access on GitHub.com.
- Patches are available for GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0, and later. Immediate update is advised.