Full Report
In early March, GitHub patched a critical remote code execution vulnerability (CVE-2026-3854) that could have allowed attackers to access millions of private repositories. [...]
Analysis Summary
# Vulnerability: GitHub RCE via Malicious Git Push (CVE-2026-3854)
## CVE Details
- **CVE ID:** CVE-2026-3854
- **CVSS Score:** 10.0 (Critical - *Estimated based on description*)
- **CWE:** CWE-20 (Improper Input Validation) / CWE-94 (Improper Control of Generation of Code)
## Affected Systems
- **Products:**
- GitHub.com
- GitHub Enterprise Cloud (including Data Residency and Enterprise Managed Users)
- GitHub Enterprise Server (GHES)
- **Versions:** GHES versions prior to 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, and 3.20.0.
- **Configurations:** Systems where users have "push" access to at least one repository.
## Vulnerability Description
The flaw stems from insufficient sanitization of user-supplied options during `git push` operations. When a user executes a push, certain values are incorporated into internal server metadata. Attackers can provide maliciously crafted options to inject additional fields that are implicitly trusted by downstream services. By chaining these injected values, an attacker can bypass internal sandboxing protections to achieve Remote Code Execution (RCE) on the storage nodes or the enterprise server.
## Exploitation
- **Status:** PoC developed by Wiz researchers; no evidence of exploitation in the wild.
- **Complexity:** Low (Requires a single maliciously crafted command).
- **Attack Vector:** Network (Authenticated via Git Push).
## Impact
- **Confidentiality:** Total (Full read access to millions of private repositories and internal secrets).
- **Integrity:** Total (Full write access to hosted repositories and server metadata).
- **Availability:** High (Potential for server compromise and service disruption).
## Remediation
### Patches
GitHub has released patches for all supported versions of GitHub Enterprise Server. Administrators should upgrade to the following versions or later:
- GHES 3.14.25
- GHES 3.15.20
- GHES 3.16.16
- GHES 3.17.13
- GHES 3.18.8
- GHES 3.19.4
- GHES 3.20.0
*Note: GitHub.com and GitHub Enterprise Cloud have already been patched by the vendor.*
### Workarounds
No specific configuration workarounds were provided; immediate patching of GHES instances is the recommended course of action.
## Detection
- **Indicators of Compromise:** GitHub telemetry indicates the flaw triggers an "anomalous code path" during git push operations.
- **Detection methods:** GHES administrators should review audit logs for unusual `git push` options or unexpected administrative-level activity following a user push.
## References
- **GitHub Security Blog:** hxxps[://]github[.]blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/
- **Wiz Research Report:** hxxps[://]www[.]wiz[.]io/blog/github-rce-vulnerability-cve-2026-3854
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-3854