A recently disclosed vulnerability (CVE-2026-3854) affects GitHub.com and GitHub Enterprise Server and may allow unauthenticated attackers to achieve remote code execution (RCE)on GitHub Infrastructure. Severity level CVSS Score: 8.8/High Description: CVE‑2026‑3854 is a sever security vulnerability caused by improper sanitization of user‑supplied git push options within GitHub’s internal Git processing pipeline. During a git push operation, certain user-controlled push option values were incorporated into internal service metadata headers without sufficient validation. As a result, specially crafted push options could break the expected metadata format and introduce attacker-controlled fields that were trusted by downstream services.
An authenticated attacker with push access to a repository could exploit this flaw by submitting a single malicious git push request. By chaining injected values, the attacker could bypass sandboxing mechanisms used to constrain server-side Git hook execution and ultimately execute arbitrary commands on backend systems. Affected Versions: GitHub.com
GitHub Enterprise Server (GHES) versions prior to: 3.14.25. 3.15.20. 3.16.16. 3.17.13. 3.18.8. 3.19.4. 3.20.0. Impact: Successful exploitation may allow an attacker to Execute arbitrary commands on GitHub backend systems. Resolution: GitHub Enterprise Server administrators must upgrade immediately to one of the following patched versions or later: 3.14.25. 3.15.20. 3.16.16. 3.17.13. 3.18.8. 3.19.4. 3.20.0.
After upgrading:
Rebuild and redeploy affected GitHub Enterprise Server instances.
Rotate internal secrets and credentials stored on GHES.
Review audit logs for suspicious git push activity prior to patching.
