GitHub CVE-2026-3854 security patch release
Security Patch Release
Summary
Hide ▲
Show ▼
GitHub released security fixes for CVE-2026-3854, patching GitHub.com and supported GitHub Enterprise Server builds after a critical remote code execution flaw that could expose private repositories. GitHub said it fixed GitHub.com in less than two hours after the report and prepared GHES updates for supported releases, with administrators told to upgrade immediately.
Related Happenings
GitHub npm version 12 hardens installs and token management
Security Tool/Service
H score11
First: 09.07.2026 19:49
Last: 09.07.2026 19:49
Sources 1
About this happening:
**GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...
GitHub npm version 12 hardens installs and token management
Security Tool/ServiceAbout this happening: **GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...
GitHub npm GAT publish-token mitigation guidance
Advisory/Mitigation
H score25
First: 09.07.2026 19:49
Last: 09.07.2026 19:49
Sources 1
About this happening:
GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...
GitHub npm GAT publish-token mitigation guidance
Advisory/MitigationAbout this happening: GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...
Gitea Docker images security update (CVE-2026-20896)
Security Patch Release
H score51
First: 06.07.2026 19:28
Last: 06.07.2026 19:28
Sources 1
About this happening:
Gitea released **version 1.26.3** to fix **CVE-2026-20896**, closing a critical authentication-bypass risk in **Gitea Docker images**. The update removed the default **"*"** wildc...
Gitea Docker images security update (CVE-2026-20896)
Security Patch ReleaseAbout this happening: Gitea released **version 1.26.3** to fix **CVE-2026-20896**, closing a critical authentication-bypass risk in **Gitea Docker images**. The update removed the default **"*"** wildc...
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/Service
H score11
First: 23.06.2026 17:22
Last: 23.06.2026 17:22
Sources 1
About this happening:
GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/ServiceAbout this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
Gravity SMTP security patch release for CVE-2026-4020
Security Patch Release
H score16
First: 20.06.2026 12:56
Last: 20.06.2026 12:56
Sources 1
About this happening:
**Gravity SMTP** released **version 2.1.5** to fix **CVE-2026-4020**, closing a **medium-severity information disclosure** flaw in the WordPress plugin. The patch addresses a bug...
Gravity SMTP security patch release for CVE-2026-4020
Security Patch ReleaseAbout this happening: **Gravity SMTP** released **version 2.1.5** to fix **CVE-2026-4020**, closing a **medium-severity information disclosure** flaw in the WordPress plugin. The patch addresses a bug...
Timeline
-
29.04.2026 15:41 1 articles · 2mo ago
Wiz reports CVE-2026-3854 to GitHub
Initial DisclosureWiz researchers reported CVE-2026-3854 through GitHub's bug bounty program on March 4, 2026, and GitHub's security team reproduced and confirmed the vulnerability within 40 minutes.
Show sources
- GitHub fixes RCE flaw that gave access to millions of private repos — www.bleepingcomputer.com — 29.04.2026 15:41
-
29.04.2026 15:41 1 articles · 2mo ago
GitHub confirms malicious git push RCE path
Technical Analysis UpdateCVE-2026-3854 let a single maliciously crafted git push inject user-supplied options into internal server metadata without sufficient sanitization, bypass sandboxing protections, and execute arbitrary code on the server handling the push. On GitHub.com, the flaw exposed shared storage nodes, and on GitHub Enterprise Server it granted full server compromise with access to hosted repositories and internal secrets.
Show sources
- GitHub fixes RCE flaw that gave access to millions of private repos — www.bleepingcomputer.com — 29.04.2026 15:41
-
29.04.2026 15:41 2 articles · 2mo ago
GitHub deploys fixes and GHES patches for CVE-2026-3854
Mitigation Patch UpdateGitHub deployed a fix to GitHub.com less than two hours after receiving the report and prepared supported GitHub Enterprise Server patches for versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0, or later. GitHub also stated that no other users or accounts triggered the exploit path and that no customer data was accessed, modified, or exfiltrated before patches were deployed.
Show sources
- GitHub fixes RCE flaw that gave access to millions of private repos — www.bleepingcomputer.com — 29.04.2026 15:41
- GitHub fixes RCE flaw that gave access to millions of private repos — www.bleepingcomputer.com — 29.04.2026 15:41