GitHub CVE-2026-3854 Enables Remote Code Execution via Single Git Push

, , ,
GitHub git push command injection vulnerability leading to remote code execution.

GitHub CVE-2026-3854 Enables Remote Code Execution via Single Git Push

Author: UMV 유엠브이기술
Published Date: May 14, 2026

Key Takeaways

  • Improper sanitization of Git Push options leads to command injection
  • GitHub.com and GitHub Enterprise Server are both affected
  • Attackers can bypass sandbox protections through crafted metadata injection
  • Multi-tenant environments face potential cross-repository exposure risks
  • Immediate patching is strongly recommended
Diagram illustrating the GitHub CVE-2026-3854 remote code execution attack chain, where a malicious Git Push request exploits a command injection flaw to compromise backend storage nodes and potentially expose millions of repositories.
CVE-2026-3854 allows attackers to achieve remote code execution on GitHub backend infrastructure through malicious Git Push option injection, potentially exposing millions of repositories in shared storage environments. (Source: Wiz)

Critical GitHub RCE Vulnerability Disclosed

Security researchers have disclosed a critical remote code execution (RCE) vulnerability, tracked as CVE-2026-3854, impacting GitHub and GitHub Enterprise Server environments.

The vulnerability allows an authenticated attacker with repository push access to execute arbitrary commands on the server using a single git push command.

The issue was discovered by Google-owned cloud security company Wiz, with GitHub reportedly deploying a fix to GitHub.com within two hours of validation.

CVE-2026-3854 Command Injection Vulnerability Analysis

The vulnerability originates from insufficient sanitization of user-supplied Git Push option values during internal metadata processing.

GitHub internally processes push option values through the X-Stat header format. However, because the metadata structure relies on semicolon (;) delimiters that could also be included within user input, attackers could inject additional metadata fields and manipulate internal service behavior.

Researchers demonstrated that carefully crafted push options could ultimately lead to arbitrary command execution on backend infrastructure.

Git Push RCE Attack Chain Analysis

Infographic showing the Git Push RCE attack chain for GitHub CVE-2026-3854, including malicious Git Push option injection, sandbox bypass, custom hook manipulation, path traversal execution, and remote code execution.
Attack chain diagram illustrating how CVE-2026-3854 can be exploited through malicious Git Push option injection to bypass sandbox protections and achieve remote code execution on GitHub infrastructure.

Multi-Tenant GitHub Environment Exposure Risks

The impact becomes more severe within GitHub.com’s multi-tenant architecture.

Researchers noted that successful code execution could provide attackers with:

  • Filesystem read/write access
  • Internal service configuration visibility
  • Shared storage node access
  • Repository exposure across organizations

GitHub stated that exploitation within shared back-end infrastructure could potentially expose millions of repositories hosted on affected storage nodes.

MITRE ATT&CK Mapping

Infographic showing the MITRE ATT&CK mapping for GitHub CVE-2026-3854, including tactics such as Initial Access, Execution, Persistence, Defense Evasion, Privilege Escalation, and Collection, mapped to techniques like command injection, sandbox bypass, hook manipulation, and repository access.
MITRE ATT&CK mapping for CVE-2026-3854 illustrating how the Git Push RCE vulnerability aligns with multiple attack stages, including command injection, sandbox bypass, hook manipulation, and path traversal.

Affected GitHub Enterprise Server Versions

GitHub addressed the vulnerability in the following versions:

  • 3.14.25
  • 3.15.20
  • 3.16.16
  • 3.17.13
  • 3.18.8
  • 3.19.4
  • 3.20.0 and later

Although no evidence of malicious exploitation has been identified, Wiz estimated that approximately 88% of instances were vulnerable at the time of public disclosure.

WSS Detection Points

  • Suspicious Git Push request activity
  • Command injection pattern detection
  • Unauthorized hook directory modification attempts
  • Abnormal path traversal behavior
  • Unauthorized server-side command execution

Growing Risks from Internal Protocol Attack Surfaces

This incident highlights how internal protocols within multi-service architectures can become critical attack surfaces when user-controlled input is insufficiently validated.

As modern development platforms rely on increasingly complex service interactions and metadata processing, attackers are shifting focus beyond traditional web vulnerabilities and targeting internal trust boundaries and protocol assumptions.

Organizations operating Git-based DevOps environments should strengthen monitoring and validation controls surrounding internal automation workflows and hook execution mechanisms.

Importance of Security Monitoring in Git-Based DevOps Environments

The GitHub CVE-2026-3854 vulnerability demonstrates how development and DevOps infrastructure are becoming increasingly attractive targets for sophisticated attackers.

As Git-based automation, hooks, and internal service integrations grow more complex, organizations must implement real-time monitoring and anomaly detection capabilities to identify abnormal command execution and injection attempts.

Solutions such as WSS can support detection of malicious request behavior, command injection attempts, and web-based attack activity.

Related Threat Intelligence

Sources

News: Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push