Back

Critical RCE Vulnerability Discovered in GitHub's Infrastructure

Severity: High (Score: 70.5)

Sources: Securityaffairs.Co, Itnews.Au, Gbhackers, github.blog, app.opencve.io

Summary

Wiz Research has identified a critical remote code execution (RCE) vulnerability, CVE-2026-3854, in GitHub's internal git infrastructure. This flaw allows any authenticated user to execute arbitrary commands on backend servers with a single git push command, potentially compromising millions of repositories. The vulnerability affects both GitHub.com and GitHub Enterprise Server (GHES), with the latter allowing full server compromise. GitHub patched the issue on GitHub.com within 6 hours of the report on March 4, 2026, and released a fix for GHES on March 10, 2026. Despite the patches, 88% of GHES instances remain vulnerable as of the latest reports. Wiz utilized AI-augmented tools to discover this flaw, marking a significant advancement in vulnerability research. GitHub has acknowledged the severity of the issue and is rewarding Wiz researchers with a substantial bounty. Users of GHES are advised to upgrade to version 3.19.3 or later immediately. Key Points: • CVE-2026-3854 allows RCE via a single git push by authenticated users. • GitHub patched the vulnerability quickly, but 88% of GHES instances are still vulnerable. • Wiz Research utilized AI tools to discover this critical vulnerability.

Key Entities

  • Zero-day Exploit (attack_type)
  • GitHub (platform)
  • GitHub.com (platform)
  • GitHub Enterprise Cloud (platform)
  • GitHub Enterprise Server (platform)
  • Wiz (company)
  • CVE-2026-3854 (cve)
  • CWE-22 - Path Traversal (cwe)
  • CWE-78 - OS Command Injection (cwe)
  • wiz.io (domain)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1078 - Valid Accounts (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • IDA MCP (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed