Back

Critical RCE Vulnerability in GitHub Affects Millions of Repositories

Severity: High (Score: 72.9)

Sources: Cybersecuritynews, News.Ycombinator, github.blog, Securityaffairs.Co

Summary

A critical remote code execution vulnerability, tracked as CVE-2026-3854, was discovered in GitHub's internal git infrastructure, allowing any authenticated user to execute arbitrary commands on backend servers with a single git push. This flaw affects both GitHub.com and GitHub Enterprise Server (GHES), enabling full server compromise and access to millions of private repositories. The vulnerability was identified by Wiz Research through AI-augmented reverse engineering. GitHub mitigated the issue on GitHub.com within 6 hours of the report and released patches for all supported versions of GHES. However, as of now, 88% of GHES instances remain vulnerable. Users are urged to upgrade to GHES version 3.19.3 or later to protect their environments. Detailed remediation steps have been provided in GitHub's security blog. This incident marks a significant shift in vulnerability discovery, highlighting the role of AI in identifying critical flaws in closed-source software. Key Points: • CVE-2026-3854 allows RCE via a single git push, affecting GitHub.com and GHES. • 88% of GitHub Enterprise Server instances are still vulnerable despite available patches. • The vulnerability was discovered using AI, marking a new approach in security research.

Key Entities

  • Zero-day Exploit (attack_type)
  • GitHub (platform)
  • GitHub.com (platform)
  • GitHub Enterprise Cloud (platform)
  • GitHub Enterprise Server (platform)
  • CVE-2026-3854 (cve)
  • CWE-22 - Path Traversal (cwe)
  • CWE-78 - OS Command Injection (cwe)
  • wiz.io (domain)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • IDA MCP (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed