CVE- 2026-3854 is a critical GitHub flaw that enables remote code execution with a simple git push, affecting GitHub Enterprise Cloud variants and GitHub Enterprise Server. The vulnerability stems from a command injection flaw where user-supplied push option values were not properly sanitised and were embedded into internal service headers, allowing attackers to inject additional metadata fields and run arbitrary commands on affected systems.
The issue was fixed in multiple Enterprise Server versions (3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, and 3.19.3), after Wiz researchers reported it on 4 March 2026 and GitHub acted within two hours. According to Wiz, the flaw in GitHub Enterprise Server could lead to full system compromise, including access to all repositories and sensitive internal data, while on GitHub[.]com the impact was a stepped chain that could enable code execution on backend infrastructure.
The investigation found no real-world exploitation beyond researchers’ tests, and no customer data was compromised; nevertheless, Wiz highlighted that 88% of Enterprise Server instances were still vulnerable at the time of reporting.