Overview
- GitHub disclosed a critical remote code execution bug in its git push pipeline, assigned CVE-2026-3854, and published GitHub Enterprise Server patches across supported releases.
- Wiz reported the issue through GitHub’s bug bounty program, and GitHub deployed a fix to github.com within hours of validating the report.
- The flaw stemmed from unsanitized git push option values that shared a delimiter with internal metadata, which let injected fields be treated as trusted and enabled command execution on servers.
- GitHub’s investigation used telemetry from an abnormal code path forced by the exploit and found only the researchers’ tests, with no customer data accessed, modified, or exfiltrated.
- For self-hosted GHES, GitHub urges immediate upgrades and a review of /var/log/github-audit.log for push operations with unusual characters, noting exploitation there would require an authenticated user with push access.