Full Report
Cybersecurity researchers have revealed critical details about a newly identified RCE vulnerability, tracked as CVE-2026-3854, affecting both GitHub’s cloud infrastructure and GitHub Enterprise Server deployments. The flaw, which carries a high CVSS score of 8.7, could allow an authenticated user to execute arbitrary code on affected systems with a single crafted git push command. The vulnerability, discovered by researchers at Wiz, exposes a command injection flaw within GitHub’s internal handling of user-supplied data. Specifically, the issue lies in how push options, key-value strings sent during a git push operation, were processed. What is CVE-2026-3854 RCE Vulnerability? According to an advisory from GitHub, “During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers.” Because the internal header format relied on a delimiter character that could also appear in user input, attackers could manipulate these values to inject additional metadata fields. This weakness opened the door for exploitation of the RCE vulnerability, allowing attackers to gain access to a repository, including one they created themselves, to execute arbitrary commands on the server handling the request. How the RCE Vulnerability Worked At the core of CVE-2026-3854 is improper input sanitization. During a typical git push, metadata such as repository type and processing environment is passed between internal services. This metadata is encoded using a delimiter, specifically a semicolon. However, because user-controlled push options were inserted into this metadata without sufficient filtering, an attacker could craft inputs containing the delimiter. This allowed them to inject additional fields into the internal X-Stat header. By chaining multiple malicious values, researchers demonstrated that an attacker could: Override the environment in which the push operation was processed Bypass sandboxing protections designed to restrict execution Ultimately achieve remote code execution on the server This made the flaw particularly dangerous, as it required minimal effort to exploit—a single command could trigger the attack. Timeline: Discovery and Rapid Response The CVE-2026-3854 RCE vulnerability was responsibly disclosed by Wiz on March 4, 2026. GitHub’s response was notably swift. In a detailed blog post, Alexis Wales explained: “On March 4, 2026, we received a vulnerability report through our Bug Bounty program from researchers at Wiz describing a critical remote code execution vulnerability affecting github.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server.” GitHub’s internal security team began validation immediately. Within 40 minutes, they had reproduced the issue and confirmed its severity. By 5:45 p.m. UTC, the root cause had been identified, and by 7:00 p.m. UTC—less than two hours after validation—a fix was deployed to GitHub.com. Affected Systems and Patch Availability The RCE vulnerability CVE-2026-3854 impacted a wide range of GitHub products, including: GitHub.com GitHub Enterprise Cloud GitHub Enterprise Cloud with Data Residency GitHub Enterprise Cloud with Enterprise Managed Users GitHub Enterprise Server While cloud-hosted services were patched automatically on March 4, 2026, GitHub Enterprise Server required manual updates. Fixes were released in the following versions: 3.14.25 3.15.20 3.16.16 3.17.13 3.18.8 3.19.4 3.20.0 or later Users of GitHub Enterprise Server are strongly advised to upgrade immediately to mitigate the risk associated with this RCE vulnerability. No Evidence of Exploitation Following the patch deployment, GitHub conducted a thorough forensic investigation to determine whether CVE-2026-3854 had been exploited in the wild. A key indicator of exploitation was the triggering of an unusual internal code path—one not used during normal operations. GitHub analyzed telemetry data and found: All instances of this anomalous behavior were linked exclusively to the Wiz researchers’ testing No unauthorized users triggered the exploit No customer data was accessed, modified, or exfiltrated This provided strong assurance that the RCE vulnerability had not been abused before disclosure. Defense-in-Depth Improvements Beyond fixing the input sanitization issue, GitHub identified an additional weakness. The exploit relied partly on a code path that should not have been accessible in the affected environment. Although it existed within the server’s container image, it was intended for a different configuration. GitHub removed this unnecessary code as part of its remediation efforts. This additional hardening ensures that even if a similar vulnerability emerges in the future, its impact would be significantly reduced. Recommendations for GitHub Enterprise Server Users For organizations using GitHub Enterprise Server, exploitation of CVE-2026-3854 would require an authenticated user with push access. As a precaution, GitHub recommends: Reviewing /var/log/github-audit.log for suspicious push operations Checking for push options containing semicolons (;) Upgrading to the latest patched version without delay
Analysis Summary
# Vulnerability: GitHub Improper Sanitization of Push Options RCE
## CVE Details
- **CVE ID:** CVE-2026-3854
- **CVSS Score:** 8.7 (High)
- **CWE:** Improper Input Sanitization / Command Injection (Specifically involving delimiter injection)
## Affected Systems
- **Products:**
- GitHub.com
- GitHub Enterprise Cloud
- GitHub Enterprise Cloud (with Data Residency / Enterprise Managed Users)
- GitHub Enterprise Server (GHES)
- **Versions:**
- GHES versions prior to 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4.
- **Configurations:** Systems where authenticated users have "push" access to repositories.
## Vulnerability Description
The flaw exists in how GitHub processes "push options"—key-value strings passed during a `git push` operation. The internal service handling these options used a semicolon (`;`) as a delimiter for metadata in the internal `X-Stat` header.
Because user-supplied push options were not properly sanitized, an attacker could include semicolons in their input to inject additional fields into the internal service headers. By manipulating these headers, an attacker could override the processing environment and bypass sandbox protections, leading to Remote Code Execution (RCE) on the server handling the request.
## Exploitation
- **Status:** Not exploited in the wild (Disclosed via Bug Bounty by Wiz researchers).
- **Complexity:** Low (Can be triggered with a single crafted command).
- **Attack Vector:** Network (Requires authentication with push permissions).
## Impact
- **Confidentiality:** High (Arbitrary code execution on infrastructure).
- **Integrity:** High (Ability to modify repository data and server configurations).
- **Availability:** High (Potential for site/service disruption).
## Remediation
### Patches
GitHub has released the following patched versions for **GitHub Enterprise Server**:
- 3.14.25
- 3.15.20
- 3.16.16
- 3.17.13
- 3.18.8
- 3.19.4
- 3.20.0 or later
*Note: GitHub.com and Enterprise Cloud environments were automatically patched by the vendor on March 4, 2026.*
### Workarounds
No specific software workaround is provided other than upgrading. However, restricting push access to trusted collaborators can reduce the attack surface.
## Detection
- **Audit Logs:** Review `/var/log/github-audit.log` for anomalous or highly frequent push operations.
- **Push Option Monitoring:** Search for `git push` commands containing semicolons (`;`) within the push options values.
- **Telemetry:** Look for the activation of internal code paths/configurations that are typically unused in standard production environments.
## References
- **Vendor Advisory:** [hXXps://github[.]blog/2026-03-04-security-advisory-cve-2026-3854]
- **Researcher Report:** [hXXps://wiz[.]io/blog/cve-2026-3854-github-rce]
- **News Coverage:** [hXXps://thecyberexpress[.]com/cve-2026-3854-rce-github-enterprise-server/]