GitHub swiftly addressed a critical remote code execution (RCE) vulnerability, CVE-2026-3854, that could have allowed attackers to gain access to private repositories. The flaw, discovered by researchers at Wiz, was reported on March 4, 2026, and a fix for GitHub.com was deployed within two hours, according to the company.
The vulnerability stemmed from insufficient sanitization of user-supplied options during “git push” operations. Specifically, values provided by users were incorporated into internal server metadata without adequate filtering. This allowed attackers to inject additional fields, potentially executing arbitrary code on the server.
“During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers,” a GitHub advisory explained. “Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values.”
Wiz researchers demonstrated that a single, maliciously crafted “git push” command was sufficient to exploit the vulnerability. The potential impact was significant, as successful exploitation could grant attackers full read/write access to private repositories on GitHub.com or vulnerable GitHub Enterprise servers with push access.
Alexis Wales, Chief Information Security Officer of GitHub, stated that the security team reproduced and confirmed the vulnerability within 40 minutes of the report. The fix was then deployed to GitHub.com less than two hours later.
The vulnerability affects GitHub.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server. GitHub has released updates to address the issue in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0, or later.
According to reports, there is currently no evidence that the vulnerability was exploited in a malicious context. This quick response highlights the increasing importance of proactive security measures in the software development lifecycle, particularly for widely used platforms like GitHub that host a vast amount of proprietary code.
The flaw centered on the way GitHub handles user-supplied git push options, failing to adequately sanitize values before incorporating them into the internal X-Stat header. The use of a semicolon as a delimiter, which could also appear in user input, created an opening for attackers to inject arbitrary commands.
As one Wiz spokesperson noted, “Exploitation could expose the codebases of nearly all of the world’s biggest enterprises, making this one of the most severe SaaS vulnerabilities ever found.”
