Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GitHub git push RCE (CVE-2026-3854)

Vulnerability
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

GitHub patched CVE-2026-3854, a critical remote code execution flaw affecting GitHub.com and GitHub Enterprise Server that could expose millions of private repositories. A successful attack required only a single malicious git push and could grant full read/write access to private repos on GitHub.com or full server compromise on GHES. GitHub said it fixed the issue after a March 4, 2026 report from Wiz and that no customer data was accessed before patches were deployed.

Related Happenings

GitHub data exposed after GitHub breach

Data Leak
First: 20.05.2026 11:14 Last: 20.05.2026 11:14 Sources 1

About this happening: GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...

Open Happening

GitHub internal repositories private-code leak claim

Data Leak
First: 20.05.2026 08:08 Last: 20.05.2026 08:08 Sources 1

About this happening: GitHub is facing a claimed leak of **internal repositories** after **TeamPCP** said it had access to about **4,000 private-code repos** and tried to sell samples. The alleged expo...

Latest development: 21.05.2026 17:45

A malicious version of Nx Console 18.95.0 was uploaded to Visual Studio Marketplace and Open VSX on May 18, fetched an obfuscated payload, and harvested secrets from ~/.vault-token, /etc/vault/token, .npmrc, ghp_/gho_/ghs_ tokens, AWS metadata, and other local sources; GitHub said the poisoned VS Code extension led to unauthorized access to about 3800 internal repositories.

Open Happening

GitHub hit by network compromise

Incident
First: 20.05.2026 07:01 Last: 20.05.2026 07:01 Sources 1

About this happening: GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...

Latest development: 20.05.2026 13:45

GitHub detected unauthorized access tied to a poisoned Visual Studio Code (VS Code) extension on an employee device, removed the malicious extension version, isolated the endpoint, and began incident response to contain exposure across internal repositories.

Open Happening

Rwl.angular-console (Nx Console) hit by network compromise

Incident
First: 19.05.2026 10:49 Last: 19.05.2026 10:49 Sources 1

About this happening: The **Nx Console** extension **rwl.angular-console 18.95.0** was compromised on the **VS Code Marketplace**, exposing **developers** to a **credential-stealing** payload and suppl...

Open Happening

Actions-cool/issues-helper hit by network compromise

Incident
First: 19.05.2026 08:28 Last: 19.05.2026 08:28 Sources 1

About this happening: The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....

Open Happening

Timeline

  1. 29.04.2026 15:41 1 articles · 28d ago

    Wiz reports CVE-2026-3854 through GitHub bug bounty

    Initial Disclosure

    Wiz reported CVE-2026-3854 to GitHub through the bug bounty program after finding a critical remote code execution flaw in GitHub push handling. The issue affected GitHub.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server, and a successful attack could start with a single maliciously crafted `git push` command.

    Show sources
    Open in new tab
  2. 29.04.2026 15:41 2 articles · 28d ago

    GitHub confirms CVE-2026-3854 and patches GitHub.com

    Mitigation Patch Update

    GitHub reproduced and confirmed CVE-2026-3854 within 40 minutes and deployed a fix to GitHub.com less than two hours after receiving the report. Supported GitHub Enterprise Server releases 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0, or later were patched, and administrators were told to upgrade immediately.

    Show sources
    Open in new tab
  3. 29.04.2026 15:41 1 articles · 28d ago

    GitHub push handling flaw enables sandbox bypass and code execution

    Technical Analysis Update

    The flaw came from user-supplied options during `git push` being incorporated into internal server metadata without sufficient sanitization, which let attackers inject additional fields trusted by downstream services and bypass sandboxing protections to execute arbitrary code on the server handling the push. Telemetry and forensic investigation found no evidence of exploitation before the disclosure, and the anomalous code path was triggered only by Wiz testing.

    Show sources
    Open in new tab