GitHub Patches Critical RCE Vulnerability CVE-2026-3854

GitHub Patches Critical RCE Vulnerability CVE-2026-3854

First seen 28 Apr 2026, 18:04 UTC Feeds2.FeedburnerGbhackersCybersecuritynewsBleepingcomputerScworld+31 86% similarity 72.0

Article Content

Browse articles
ThreatCluster

A critical remote code execution vulnerability, tracked as CVE-2026-3854, was discovered in GitHub's internal git infrastructure, allowing authenticated users to execute arbitrary commands via a crafted git push command. The flaw, identified by Wiz researchers using AI, affects both GitHub.com and GitHub Enterprise Server, potentially exposing millions of repositories. GitHub's rapid response included patching the issue within six hours of disclosure on March 4, 2026. Despite the swift action, reports indicate that 88% of GitHub Enterprise Server instances remained vulnerable at the time of public disclosure. The vulnerability stems from improper sanitization of user-supplied push options, allowing command injection. GitHub has released patches for all affected versions, and no evidence of exploitation was found prior to the patch. The incident highlights significant security risks associated with internal protocols and user input handling.

Key Points: • CVE-2026-3854 allows RCE via a single malicious git push command. • 88% of GitHub Enterprise Server instances were still vulnerable at public disclosure. • GitHub patched the vulnerability within six hours of its discovery.

ThreatCluster AI

Timeline

2026-03-04
Wiz reported CVE-2026-3854 to GitHub
2026-03-10
CVE-2026-3854 published
2026-04-29
First public PoC released

Community

Browse all →