GitHub RCE CVE-2026-3854: One Git Push Could Hijack the Server (April 28, 2026)
GitHub on April 28, 2026 disclosed CVE-2026-3854, a CVSS 8.7 remote code execution flaw in its git push pipeline that any authenticated user could trigger with a single command. GitHub.com was patched within two hours of Wiz reporting the bug, but Help Net Security found 88% of self-hosted GitHub Enterprise Server instances remained vulnerable at disclosure.
GitHub on publicly disclosed CVE-2026-3854, a CVSS 8.7 remote code execution flaw in its internal git push pipeline. Any authenticated user could run arbitrary commands on GitHub's backend storage nodes by sending a single crafted git push with a malicious push option — with no special tools beyond a stock git client.
What Happened
Researchers at Wiz reported the bug to GitHub on . According to GitHub's own incident write-up, the security team reproduced the vulnerability within 40 minutes and rolled a fix to GitHub.com less than two hours after first contact. A patch for GitHub Enterprise Server (GHES) followed on , gated for ~7 weeks of coordinated disclosure before the public announcement on April 28.
The root cause was an injection flaw in GitHub's internal protocol: during a git push, user-supplied push option values were passed into internal service headers without proper sanitization, and the header delimiter character could appear inside the user input. An attacker could close the legitimate header and inject additional metadata fields — some of which were later interpreted as commands on the storage backend. Because git push runs against shared storage nodes, a successful exploit on GitHub.com would have given the attacker access to millions of public and private repositories co-resident on the same node.
Key Details
- CVSS score: 8.7 (High). Tracked as CVE-2026-3854 at NVD.
- Attack vector: A single authenticated
git pushwith a crafted push option — no scripts, no proxy, no secondary tooling required. - Affected products: GitHub.com (patched within 2 hours of report) and GitHub Enterprise Server v3.14 through v3.20.
- Patched GHES versions: 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, 3.19.3 (and later 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0).
- Bounty: Wiz received "one of the highest rewards available" in the GitHub Bug Bounty program, per GitHub's disclosure.
- Discovery method: Wiz used AI-assisted reverse engineering on GitHub's closed-source binaries and went from "idea to working exploit in under 48 hours," after circling the target since September 2024.
- Exploitation evidence: GitHub's forensic review found no evidence of exploitation prior to Wiz's disclosure; telemetry showed the vulnerable code path was triggered only by Wiz researchers.
What Developers and Self-Hosters Are Saying
The reaction on the Hacker News thread for Wiz's write-up has been a mix of admiration for the response time and alarm at the patching gap on self-hosted GHES. The most-upvoted comment summarizes it bluntly: "88% of on-prem customers haven't applied a critical security fix from 7 weeks ago, that seems ... bad." That number comes from Help Net Security, which scanned public GHES instances on the day of disclosure and found 88% still running an unpatched build.
On The Hacker News and BleepingComputer, security teams are emphasizing that the SaaS GitHub.com side is no longer at risk, but every team running their own GHES needs to verify the build version this week. The other talking point across X/Twitter security accounts and r/netsec is the AI-discovery angle: this is one of the first publicly documented critical bugs in a closed-source binary surfaced through AI-assisted reverse engineering, and several commenters expect a wave of similar findings in 2026.
What This Means for Developers
If you depend on GitHub.com, no action is required — GitHub patched the platform on March 4, 2026 and confirmed no exfiltration occurred. If you operate GitHub Enterprise Server, the action is urgent: upgrade to the patched version of your release line (3.14.24+, 3.15.19+, 3.16.15+, 3.17.12+, 3.18.6+, 3.19.3+, or any 3.20.x), and then audit any push activity since March for the malformed push-option pattern Wiz documented. Internal-only GHES instances behind a VPN are still at risk because the precondition is only "authenticated user" — a malicious insider or compromised account is enough.
The wider takeaway is that the git push code path — long treated as plumbing — is a viable attack surface on any platform that does server-side processing of push options, hooks, or LFS pointers. Expect more scrutiny across GitLab, Gitea, Forgejo, Bitbucket Server, and self-hosted alternatives in the coming weeks.
What's Next
GitHub has committed to publishing a fuller post-mortem covering the input-sanitization audit it has now extended across other internal protocols. Wiz says it will release a detailed technical breakdown of the AI-assisted workflow it used to find the bug. CISA has not yet added CVE-2026-3854 to its Known Exploited Vulnerabilities catalog (as of disclosure there is no evidence of in-the-wild exploitation), but enterprise customers should monitor the KEV catalog and apply the GHES patch before that changes.
Sources
- The GitHub Blog — Securing the git push pipeline — GitHub's official incident response and timeline.
- Wiz Blog — GitHub RCE Vulnerability: CVE-2026-3854 Breakdown — the discovering researcher's technical write-up.
- Help Net Security — "88% of self-hosted GitHub servers exposed to RCE."
- BleepingComputer — mainstream news coverage with patching guidance.
- The Hacker News — details on the bug bounty, CVSS, and AI-assisted discovery.
- NVD entry for CVE-2026-3854 — official vulnerability record.
- Hacker News discussion — developer and security-engineer reactions.
Stay up to date with Doolpa
Subscribe to Newsletter →