Critical GitHub RCE Flaw CVE-2026-3854: A Single Git Push Away

Cybersecurity researchers at **Google-owned Wiz** have uncovered a critical remote code execution (RCE) vulnerability, **CVE-2026-3854**, affecting **GitHub.com** and **GitHub Enterprise Server**. The flaw, with a CVSS score of **8.7**, allows an authenticated user with push access to a repository to execute arbitrary commands on the server via a single, crafted **'git push'** command. This exploit bypasses sandboxing and can lead to widespread data exposure across **millions of repositories** due to GitHub's multi-tenant architecture. **GitHub** has since deployed fixes for affected versions, with **Wiz** credited for the discovery and timely reporting on March 4, 2026.

• A critical RCE vulnerability (CVE-2026-3854) was found in GitHub, exploitable via a single 'git push'.
• The flaw allows authenticated users with push access to execute arbitrary code on affected servers.
• Google's Wiz discovered the vulnerability and reported it on March 4, 2026.
• GitHub patched GitHub.com within two hours and released updates for Enterprise Server versions.
• The vulnerability posed a risk of cross-tenant data exposure across millions of repositories.

The disclosure of **CVE-2026-3854** reveals a specific command injection vulnerability within GitHub's internal protocol, specifically in how user-supplied push option values were handled in X-Stat headers. The flaw's exploitation requires authenticated push access, and while **Wiz** reports it's 'remarkably easy' to exploit, **GitHub** states there is no evidence of malicious exploitation. The vulnerability has been patched in specific versions of **GitHub Enterprise Server** and on **GitHub.com**.

The swift patching of **CVE-2026-3854** by **GitHub** within two hours of discovery demonstrates the robust security incident response capabilities of major tech platforms. This rapid remediation, coupled with the proactive disclosure by **Wiz**, underscores a healthy ecosystem of vulnerability research and responsible disclosure, ensuring that critical flaws are addressed before widespread exploitation can occur, thereby protecting the vast user base and their sensitive code.

The existence of **CVE-2026-3854**, a vulnerability allowing RCE via a single 'git push' and affecting a significant portion of **GitHub Enterprise Server** instances (estimated at 88%), is deeply concerning. The potential for cross-tenant exposure on **GitHub.com**, enabling access to millions of repositories, highlights a systemic risk in shared backend infrastructure. The ease of exploitation and the bypass of sandboxing protections suggest that similar, undiscovered vulnerabilities may persist in complex, multi-service architectures.

Originally reported by The Hacker News