CVE- 2026-3854 has been disclosed as a critical remote code execution vulnerability in GitHub’s git push pipeline, turning a routine push into a potential attack vector for arbitrary command execution. The issue arose from user-supplied git push options being included in internal metadata without sufficient sanitisation, enabling an attacker with push access to craft values that downstream services could treat as trusted.
According to GitHub’s incident write-up, the flaw affected multiple GitHub environments and was addressed with patches for supported GitHub Enterprise Server releases, with versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0, or later, and no evidence of real-world exploitation or customer data compromise during the investigation. GitHub states that no exploitation beyond security researchers’ testing was observed, and remediation involved rapid internal validation and hardening.
The guidance for organisations is to upgrade to a patched version for GitHub Enterprise Server and to review recent push activity and related workflows, while SOCRadar’s Vulnerability Intelligence module is offered as context to connect CVEs with exposed assets and remediation priorities.