Critical Flaw Closed in Hours
On March 4, 2026, GitHub received a vulnerability report from Wiz researchers describing a critical remote code execution (RCE) flaw affecting GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server.
Within two hours, GitHub validated the finding, deployed a fix to GitHub.com, and completed a forensic investigation that confirmed no exploitation occurred. The company urges all GHES customers to patch immediately.
“This was one of the most severe vulnerabilities we’ve seen in the push pipeline – it required no special privileges beyond push access,” said a GitHub security engineer. “Our team moved at record speed to contain it.”
Background: How the Attack Worked
The bug bounty report described a technique allowing any user with push access to a repository (including one they created) to execute arbitrary commands on the GitHub server handling their git push operation.
When a user pushes code, metadata about the push – such as repository type and processing environment – is passed between internal services via an internal protocol. The vulnerability leveraged how user-supplied git push options were handled within that metadata.
Push options are a standard Git feature sending key‑value strings to the server. However, the values were incorporated into internal metadata without sufficient sanitization. The internal metadata format used a delimiter character that could also appear in user input, enabling an attacker to inject additional fields that downstream services would interpret as trusted internal values.
By chaining several injected values, Wiz researchers showed they could override the processing environment, bypass sandboxing protections constraining hook execution, and ultimately achieve arbitrary command execution on the server.
Response: Fix Deployed Within Two Hours
GitHub’s security team received the report and validated it internally within 40 minutes, confirming its critical severity. At 5:45 p.m. UTC on March 4, the root cause was identified; by 7:00 p.m. UTC, a fix was deployed to GitHub.com.
The fix ensures that user‑supplied push option values are properly sanitized and can no longer influence internal metadata fields. For GitHub Enterprise Server, patches are available for all supported releases: 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0, or later.
GitHub published CVE-2026-3854 and strongly recommends that all GHES customers upgrade immediately. The company’s forensic investigation found no signs of active exploitation before or after the fix.
What This Means
For GitHub.com and Enterprise Cloud users, no action is needed – the fix is already live. However, this vulnerability underscores the risks inherent in trust boundaries between user input and internal service protocols.
“Even a small gap in sanitization can escalate into a critical RCE when chained with other parameters,” a GitHub security researcher noted. “We’re reviewing our entire metadata pipeline to prevent similar issues.”
GHES administrators should apply the patch as soon as possible. While no exploitation was detected, the flaw could have allowed an attacker with push access to gain server‑level control, potentially leaking repositories or pivoting to internal systems.
GitHub has also shared details with Wiz and expressed gratitude for the coordinated disclosure. The company plans to release a full technical deep‑dive in the coming weeks.
This is a breaking news story – updates may follow as more information becomes available.