GitHub RCE Vulnerability: CVE-2026-3854 Breakdown

Wiz Research uncovered a critical vulnerability (CVE-2026-3854) in Git Hub's internal git infrastructure that could have affected both Git Hub.com and Git Hub Enterprise Server. By exploiting an injection flaw in Git Hub's internal protocol, any authenticated user could execute arbitrary commands on Git Hub's backend servers with a single git push command - using nothing but a standard git client.

Notably, this is one of the first critical vulnerabilities discovered in closed-source binaries using AI, highlighting a shift in how these flaws are identified. Despite the complexity of the underlying system, the vulnerability is remarkably easy to exploit. On GitHub.com, this vulnerability allowed remote code execution on shared storage nodes. We confirmed that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes. On GitHub Enterprise Server, the same vulnerability grants full server compromise, including access to all hosted repositories and internal secrets.

GitHub mitigated this issue on GitHub.com within 6 hours of our report, released patches for all supported versions of GitHub Enterprise Server, and published the CVE at the time of release. GitHub Enterprise Server customers should upgrade immediately - at the time of this writing, our data indicates that 88% of instances are still vulnerable. Detailed remediation steps and further technical details are available in GitHub’s security blog post.