A recently disclosed vulnerability (CVE-2026-3854) affects GitHub.com and GitHub Enterprise Server and may allow unauthenticated attackers to achieve remote code execution (RCE)on GitHub Infrastructure.
Severity level
CVSS Score: 8.8/High.
Description:
CVE‑2026‑3854 is a sever security vulnerability caused by improper sanitization of user‑supplied git push options within GitHub’s internal Git processing pipeline. During a git push operation, certain user-controlled push option values were incorporated into internal service metadata headers without sufficient validation. As a result, specially crafted push options could break the expected metadata format and introduce attacker-controlled fields that were trusted by downstream services. An authenticated attacker with push access to a repository could exploit this flaw by submitting a single malicious git push request. By chaining injected values, the attacker could bypass sandboxing mechanisms used to constrain server-side Git hook execution and ultimately execute arbitrary commands on backend systems.
Affected Versions:
- GitHub.com.
- GitHub Enterprise Server (GHES) versions prior to: 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0.
Impact:
Successful exploitation may allow an attacker to Execute arbitrary commands on GitHub backend systems.
Resolution:
GitHub Enterprise Server administrators must upgrade immediately to one of the following patched versions or later:
- 3.14.25.
- 3.15.20.
- 3.16.16.
- 3.17.13.
- 3.18.8.
- 3.19.4.
- 3.20.0.
After upgrading:
- Rebuild and redeploy affected GitHub Enterprise Server instances.
- Rotate internal secrets and credentials stored on GHES.
- Review audit logs for suspicious git push activity prior to patching.
Reference:
UIT Information Security