On March 4, 2026, Wiz researchers reported CVE-2026-3854 to GitHub's Bug Bounty program: a critical remote code execution vulnerability affecting github.com, GitHub Enterprise Cloud, and GitHub Enterprise Server. Any user with push access could achieve arbitrary command execution on GitHub's servers using a single crafted git push command. GitHub validated the finding in 40 minutes, deployed a fix to github.com by 7:00 p.m. UTC, and completed a forensic investigation confirming zero exploitation before disclosure.
The mechanics matter here. Git push options, a legitimate git feature for passing key-value strings to a server, were incorporated into GitHub's internal service metadata without sanitizing a delimiter character. An attacker could inject additional fields, override the processing environment, bypass sandbox protections around hook execution, and run arbitrary code. The exploit also forced a code path that never appears during normal operations, which gave GitHub a reliable forensic signal: every hit in their telemetry traced back to Wiz's own test activity. No customer data was accessed or exfiltrated.
GitHub Enterprise Server customers are not automatically patched. Fixes are available in releases 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, and 3.20.0. Upgrade immediately. As an interim measure, review /var/log/github-audit.log for push operations containing semicolons in push options. The full post is worth reading for the defense-in-depth section: GitHub discovered a dead code path left in container images from a stale deployment model, removed it, and explains exactly how that residual access amplified the original injection flaw.
[READ ORIGINAL →]