GitHub Patches Critical RCE Vulnerability CVE-2026-3854

Severity: High (Score: 72.0)

Sources: Cybersecuritynews, www.itnews.com.au, app.opencve.io, Theregister, www.cve.news

Summary

A critical remote code execution vulnerability, tracked as CVE-2026-3854, was discovered in GitHub's internal git infrastructure, allowing authenticated users to execute arbitrary commands via a crafted git push command. The flaw, identified by Wiz researchers using AI, affects both GitHub.com and GitHub Enterprise Server, potentially exposing millions of repositories. GitHub's rapid response included patching the issue within six hours of disclosure on March 4, 2026. Despite the swift action, reports indicate that 88% of GitHub Enterprise Server instances remained vulnerable at the time of public disclosure. The vulnerability stems from improper sanitization of user-supplied push options, allowing command injection. GitHub has released patches for all affected versions, and no evidence of exploitation was found prior to the patch. The incident highlights significant security risks associated with internal protocols and user input handling. Key Points: • CVE-2026-3854 allows RCE via a single malicious git push command. • 88% of GitHub Enterprise Server instances were still vulnerable at public disclosure. • GitHub patched the vulnerability within six hours of its discovery.

Key Entities

• Data Breach (attack_type)
• Zero-day Exploit (attack_type)
• GitHub (platform)
• GitHub.com (platform)
• GitHub Enterprise Cloud (platform)
• GitHub Enterprise Server (platform)
• Wiz (company)
• Wiz Research (company)
• United States (country)
• CVE-2026-3854 (cve)
• CWE-22 - Path Traversal (cwe)
• CWE-78 - OS Command Injection (cwe)
• CWE-94 - Code Injection (cwe)
• wiz.io (domain)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1078 - Valid Accounts (mitre_attack)
• T1190 - Exploit Public-Facing Application (mitre_attack)
• Git (tool)
• Claude Code (tool)
• IDA MCP (tool)
• IDA MCP (AI-augmented) Reverse Engineering Tooling (tool)