CYBERSECURITY researchers disclosed a critical vulnerability in GitHub[.]com and GitHub Enterprise Server, tracked as CVE-2026-3854, which could allow remote code execution with a single git push command. The flaw involves command injection where user-supplied push option values are not sanitised before entering internal service headers, enabling an attacker with push access to inject metadata and execute arbitrary commands.
Wiz was credited with discovering and reporting the issue on 4 March 2026, with GitHub validating and deploying a fix to GitHub[.]com within two hours, according to GitHub advisory. The vulnerability affects GitHub[.]com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server, and is rated CVSS 8.7.
GitHub notes the fix also covers multiple Enterprise Server versions (3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0, or later) and states there is no evidence of malicious exploitation at the time of disclosure. Wiz described the remote code execution chain as consisting of three injections that could override the environment, bypass sandboxing, and allow code execution on the server, with about 88% of instances reportedly vulnerable at disclosure.