GitHub vulnerability CVE-2026-3854 allows code execution with a single git push

A high-severity vulnerability, identified as CVE-2026-3854, has been discovered in GitHub that enables remote code execution through a basic git push operation. This flaw affects various GitHub Enterprise products, including GitHub Enterprise Cloud and GitHub Enterprise Server. The vulnerability stems from a command injection issue, allowing an attacker with repository push access to execute arbitrary commands on vulnerable systems, posing significant risks to users of both GitHub.com and GitHub Enterprise Server, as reported by Security Affairs.

The vulnerability, CVE-2026-3854, arises from improper handling of special elements within GitHub Enterprise Server. During a git push, user-supplied push option values were not adequately sanitized before being incorporated into internal service headers. Attackers could exploit this by injecting additional metadata fields through crafted push options, tricking downstream services into treating malicious input as trusted data. This could lead to altering of execution environments, bypassing of sandbox protections, and running of arbitrary commands on the server.

Wiz researchers reported the flaw on March 4, 2026, and GitHub addressed it within two hours by sanitizing inputs and releasing patches for affected Enterprise Server versions. No real-world exploitation beyond researcher tests was found, and no customer data was compromised. The vulnerability could allow attackers to execute code on shared storage nodes, potentially exposing millions of repositories on GitHub.com, or gain full system compromise on Enterprise Server instances. Wiz highlighted that 88% of instances remained vulnerable at the time of their report, urging immediate upgrades.

Source: Security Affairs