Security researchers have revealed a high-impact vulnerability affecting GitHub that could enable attackers to execute arbitrary code using nothing more than a single git push command.
Tracked as CVE-2026-3854, the flaw carries a CVSS score of 8.7 and impacts both GitHub.com and GitHub Enterprise Server environments.
Nature of the Vulnerability
The issue is classified as a command injection flaw. It arises from improper handling of user-controlled input during the git push process.
Specifically, user-provided push options were not properly sanitized before being embedded into internal service headers. Because these headers rely on delimiters that can also be included in user input, attackers could manipulate the structure and inject malicious data.
How the Exploit Works
By crafting specially designed push option values, an attacker with repository push access could inject additional metadata into internal headers. This allowed researchers to alter execution parameters and bypass built-in safeguards.
The attack chain demonstrated by researchers involved:
- Modifying environment settings to bypass sandbox restrictions
- Redirecting hook execution paths to attacker-controlled locations
- Injecting malicious hooks capable of executing arbitrary commands
This sequence ultimately allowed full remote code execution on affected systems.
Discovery and Rapid Response
The vulnerability was identified by Wiz and reported on March 4, 2026. GitHub confirmed the issue and deployed a fix to its cloud platform within hours.
According to Alexis Wales, the flaw could be exploited to override execution environments and bypass standard protections, enabling attackers to run unsandboxed code.
Affected Systems and Patch Availability
The issue impacts multiple GitHub offerings, including:
- GitHub.com
- GitHub Enterprise Cloud
- GitHub Enterprise Cloud with Data Residency
- GitHub Enterprise Cloud with Enterprise Managed Users
- GitHub Enterprise Server
Patches have been released for GitHub Enterprise Server versions 3.14.25 and later, with subsequent secure versions continuing through the latest releases.
Importantly, there is no evidence that the vulnerability was exploited in real-world attacks prior to disclosure.
Potential Impact
Successful exploitation could grant attackers control over backend infrastructure. In shared environments, this risk becomes even more severe.
Due to GitHub’s multi-tenant architecture, gaining execution access on shared storage nodes could allow unauthorized visibility into repositories belonging to other users or organizations.
Researchers noted that the vulnerability could expose sensitive data across tenants, significantly amplifying its impact.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
