Critical GitHub RCE Flaw (CVE-2026-3854) Allowed Full Server Compromise via Single 'git push'

Executive Summary

Security firm Wiz has discovered and disclosed a critical remote code execution (RCE) vulnerability in GitHub, tracked as CVE-2026-3854 with a CVSS score of 8.7. The flaw was a command injection bug exploitable by any authenticated user via a single git push command. It impacted the multi-tenant GitHub.com service as well as self-hosted GitHub Enterprise Server (GHES) instances. Successful exploitation on GitHub.com could have granted access to millions of public and private repositories, while on GHES it could lead to a full compromise of the server. GitHub quickly patched the issue on its cloud service and released updates for GHES. However, at the time of disclosure, an estimated 88% of internet-facing GHES instances were still unpatched, posing a significant supply chain risk.

Vulnerability Details

The vulnerability was a command injection flaw in the backend service that processes git push operations. When a user performs a git push, they can include options using the --push-option flag. The researchers at Wiz found that GitHub's backend did not properly sanitize these user-supplied option strings before passing them to downstream services.

The internal protocol used a delimiter character that could also be injected by an attacker within the push option's value. This allowed an attacker to break out of the intended data field and inject malicious metadata fields into the internal service headers. A downstream service would then misinterpret this injected metadata as a legitimate command and execute it on the backend server, leading to RCE.

The exploit was described as easy to perform, requiring only a standard git client, authentication to GitHub, and push access to at least one repository.

Affected Systems

GitHub.com: The multi-tenant cloud service was vulnerable. The issue has been mitigated by GitHub.
GitHub Enterprise Cloud: The cloud-hosted enterprise service was vulnerable and has been patched.
GitHub Enterprise Server (GHES): The following self-hosted versions are vulnerable:
- Versions before 3.14.25
- Versions before 3.15.20
- Versions before 3.16.16
- Versions before 3.17.13
- Versions before 3.18.8
- Versions before 3.19.4

Exploitation Status

There is no evidence that this vulnerability was exploited in the wild before it was reported by Wiz. GitHub acted quickly to patch its own infrastructure. However, the public disclosure and the high number of unpatched self-hosted GHES instances create a significant window of opportunity for attackers.

Impact Assessment

The impact of CVE-2026-3854 is severe and represents a major software supply chain risk:

On GitHub.com: Exploitation granted RCE on shared storage nodes. While likely sandboxed, this could have potentially provided access to source code from millions of public and private repositories, including sensitive secrets, intellectual property, and personal data.
On GitHub Enterprise Server: The impact is even more critical. A successful exploit could lead to a full compromise of the self-hosted server. This would give an attacker complete control over all source code repositories, CI/CD pipelines, and internal secrets (e.g., API keys, credentials) stored on the instance. An attacker could inject malicious code into production applications, creating a widespread supply chain attack.

At the time of disclosure, Wiz estimated that 88% of internet-facing GHES instances were still vulnerable, making this a high-priority issue for many organizations.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type

Command Line Pattern

Value

git push --push-option

Description

Audit git logs on developer workstations and CI/CD runners for unusual or malformed strings being passed via --push-option.

Type

Log Source

Value

github-logs/git-actions.log (on GHES)

Description

On GitHub Enterprise Server, review git action logs for anomalous push operations containing unexpected characters or command structures in the options.

Type

Network Traffic Pattern

Value

Unusual outbound connections from GHES servers

Description

A compromised GHES server may initiate connections to attacker-controlled infrastructure. Monitor for unexpected outbound traffic.

Detection Methods

Version Scanning: Use asset management or vulnerability scanning tools to identify all instances of GitHub Enterprise Server in your environment and check if their version numbers are below the patched levels.
Log Analysis (D3-NTA): Centralize and analyze logs from GHES instances. Create detection rules to look for git push commands with abnormally long or complex --push-option strings, especially those containing shell metacharacters.
Behavioral Monitoring: Monitor GHES servers for anomalous behavior, such as unexpected processes being spawned by git-related services or outbound network connections to unknown destinations.

Remediation Steps

Upgrade GitHub Enterprise Server Immediately (D3-SU): Organizations running self-hosted GHES must upgrade to a patched version (e.g., 3.14.25+, 3.15.20+, etc.) as a top priority. This is the only way to fix the vulnerability.
Restrict Access: If an immediate upgrade is not possible, restrict access to the GHES instance at the network level to only trusted IPs. Also, review user permissions and limit push access on critical repositories to the smallest possible group of trusted developers.
Audit and Rotate Secrets: After upgrading, conduct a thorough audit of all repositories for any signs of tampering. It is also highly recommended to rotate all secrets, API keys, and credentials stored within the GHES instance or in repositories, as a precautionary measure against potential prior compromise.

Critical Command Injection Vulnerability in GitHub (CVE-2026-3854) Exposed Millions of Repositories to RCE