Critical Security Vulnerability in GitHub Allows Remote Code Execution
Cybersecurity researchers have recently uncovered a critical security flaw affecting GitHub.com and GitHub Enterprise Server, enabling an authenticated user to execute remote code with just a “git push” command.
The vulnerability, identified as CVE-2026-3854 with a CVSS score of 8.7, is a case of command injection that allows an attacker with push access to a repository to achieve remote code execution on the instance.
According to a GitHub advisory, the flaw arises from unsanitized push option values included in internal service headers during a git push operation. This oversight could be exploited by injecting additional metadata fields through crafted push option values.
Discovered by Google-owned cloud security firm Wiz on March 4, 2026, GitHub promptly validated and deployed a fix to GitHub.com within two hours. The vulnerability has also been addressed in GitHub Enterprise Server versions 3.14.25 and later.
GitHub has confirmed that the issue impacts GitHub.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server.
The root of the problem lies in the inadequate sanitization of user-supplied git push options before incorporating them into the internal X-Stat header. This loophole could be exploited by injecting arbitrary commands to execute on the server.
By exploiting the vulnerability, an attacker could override the push environment, bypass sandboxing protections, and execute arbitrary commands on the server. This poses a significant risk to GitHub’s infrastructure and user data.
Users are strongly advised to apply the necessary updates immediately to protect against potential exploitation of the vulnerability.
Wiz emphasized the importance of auditing how user-controlled input flows through internal protocols in multi-service architectures to prevent similar security incidents in the future.
