GitHub git push RCE (CVE-2026-3854)
Vulnerability
Summary
Hide ▲
Show ▼
GitHub patched CVE-2026-3854, a critical remote code execution flaw affecting GitHub.com and GitHub Enterprise Server that could expose millions of private repositories. A successful attack required only a single malicious git push and could grant full read/write access to private repos on GitHub.com or full server compromise on GHES. GitHub said it fixed the issue after a March 4, 2026 report from Wiz and that no customer data was accessed before patches were deployed.
Related Happenings
Single organization's private GitHub repository cloned after confirmed access
Data Leak
H score12
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
**Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
Single organization's private GitHub repository cloned after confirmed access
Data LeakAbout this happening: **Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
GitHub npm version 12 hardens installs and token management
Security Tool/Service
H score11
First: 09.07.2026 19:49
Last: 09.07.2026 19:49
Sources 1
About this happening:
**GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...
GitHub npm version 12 hardens installs and token management
Security Tool/ServiceAbout this happening: **GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...
GitHub npm GAT publish-token mitigation guidance
Advisory/Mitigation
H score25
First: 09.07.2026 19:49
Last: 09.07.2026 19:49
Sources 1
About this happening:
GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...
GitHub npm GAT publish-token mitigation guidance
Advisory/MitigationAbout this happening: GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...
GitHub Agentic Workflows indirect prompt injection security flaw
Vulnerability
H score27
First: 07.07.2026 17:04
Last: 07.07.2026 17:04
Sources 1
About this happening:
**GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...
GitHub Agentic Workflows indirect prompt injection security flaw
VulnerabilityAbout this happening: **GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...
NHS England Digital libssh2 update advisory for CVE-2026-55200
Advisory/Mitigation
H score38
First: 29.06.2026 10:06
Last: 29.06.2026 10:06
Sources 1
About this happening:
**NHS England Digital** has issued an **update advisory** for **libssh2** after a public proof-of-concept surfaced for **CVE-2026-55200**. The flaw can let a **malicious or compro...
NHS England Digital libssh2 update advisory for CVE-2026-55200
Advisory/MitigationAbout this happening: **NHS England Digital** has issued an **update advisory** for **libssh2** after a public proof-of-concept surfaced for **CVE-2026-55200**. The flaw can let a **malicious or compro...
Timeline
-
29.04.2026 15:41 1 articles · 2mo ago
Wiz reports CVE-2026-3854 through GitHub bug bounty
Initial DisclosureWiz reported CVE-2026-3854 to GitHub through the bug bounty program after finding a critical remote code execution flaw in GitHub push handling. The issue affected GitHub.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server, and a successful attack could start with a single maliciously crafted `git push` command.
Show sources
- GitHub fixes RCE flaw that gave access to millions of private repos — www.bleepingcomputer.com — 29.04.2026 15:41
-
29.04.2026 15:41 2 articles · 2mo ago
GitHub confirms CVE-2026-3854 and patches GitHub.com
Mitigation Patch UpdateGitHub reproduced and confirmed CVE-2026-3854 within 40 minutes and deployed a fix to GitHub.com less than two hours after receiving the report. Supported GitHub Enterprise Server releases 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0, or later were patched, and administrators were told to upgrade immediately.
Show sources
- GitHub fixes RCE flaw that gave access to millions of private repos — www.bleepingcomputer.com — 29.04.2026 15:41
- GitHub fixes RCE flaw that gave access to millions of private repos — www.bleepingcomputer.com — 29.04.2026 15:41
-
29.04.2026 15:41 1 articles · 2mo ago
GitHub push handling flaw enables sandbox bypass and code execution
Technical Analysis UpdateThe flaw came from user-supplied options during `git push` being incorporated into internal server metadata without sufficient sanitization, which let attackers inject additional fields trusted by downstream services and bypass sandboxing protections to execute arbitrary code on the server handling the push. Telemetry and forensic investigation found no evidence of exploitation before the disclosure, and the anomalous code path was triggered only by Wiz testing.
Show sources
- GitHub fixes RCE flaw that gave access to millions of private repos — www.bleepingcomputer.com — 29.04.2026 15:41