GitHub CVE-2026-3854 remote code execution flaw via crafted git push

Timeline

1. 28.04.2026 21:19 1 articles · 2h ago

   CVE-2026-3854 remote code execution vulnerability in GitHub addressed

   GitHub disclosed CVE-2026-3854, a critical command injection vulnerability in GitHub.com and GitHub Enterprise Server that allowed authenticated users with push access to achieve remote code execution via a single "git push" command. The flaw was introduced by insufficient sanitization of user-supplied git push option values, which enabled injection of semicolon-delimited metadata into internal headers. Exploitation involved a three-stage chain—bypassing sandboxing, redirecting hook execution, and executing arbitrary commands as the git user—resulting in full instance compromise. GitHub deployed a fix to GitHub.com within two hours of being notified by Wiz on March 4, 2026, and subsequently released patches for affected GitHub Enterprise Server versions. No active exploitation has been observed.

   Show sources

   • Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push — thehackernews.com — 28.04.2026 21:19

   Open in new tab

Information Snippets

• CVE-2026-3854 is a command injection vulnerability affecting GitHub.com and GitHub Enterprise Server versions prior to 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0, or later.

  First reported: 28.04.2026 21:19
  1 source, 1 article
  Show sources

  • Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push — thehackernews.com — 28.04.2026 21:19

• The vulnerability allows remote code execution via a single "git push" command by exploiting unsanitized user-supplied push option values inserted into internal headers during git push operations.

  First reported: 28.04.2026 21:19
  1 source, 1 article
  Show sources

  • Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push — thehackernews.com — 28.04.2026 21:19

• Exploitation involves chaining three injections: overriding rails_env to bypass sandboxing, setting custom_hooks_dir to redirect hook execution, and injecting repo_pre_receive_hooks with a crafted hook entry to achieve path traversal and execute arbitrary commands as the git user.

  First reported: 28.04.2026 21:19
  1 source, 1 article
  Show sources

  • Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push — thehackernews.com — 28.04.2026 21:19

• GitHub.com and all GitHub Enterprise offerings were affected, including GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server.

  First reported: 28.04.2026 21:19
  1 source, 1 article
  Show sources

  • Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push — thehackernews.com — 28.04.2026 21:19

• The flaw was discovered by Wiz and reported to GitHub on March 4, 2026; GitHub deployed a fix to GitHub.com within two hours and later released patches for affected GitHub Enterprise Server versions.

  First reported: 28.04.2026 21:19
  1 source, 1 article
  Show sources

  • Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push — thehackernews.com — 28.04.2026 21:19

• No evidence of exploitation in the wild has been identified at the time of disclosure.

  First reported: 28.04.2026 21:19
  1 source, 1 article
  Show sources

  • Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push — thehackernews.com — 28.04.2026 21:19

• The issue is described as trivially exploitable and affects approximately 88% of GitHub Enterprise Server instances at the time of public disclosure.

  First reported: 28.04.2026 21:19
  1 source, 1 article
  Show sources

  • Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push — thehackernews.com — 28.04.2026 21:19