Critical Remote Code Execution in GitHub Enterprise (CVE‑2026‑3854) Threatens Code Repositories
What It Is – A command‑injection flaw in GitHub’s internal push‑metadata handling (CVE‑2026‑3854) lets an attacker with repository‑push rights execute arbitrary commands on the server. The vulnerability is present in GitHub Enterprise Cloud variants and GitHub Enterprise Server.
Exploitability – The bug can be triggered with a single crafted git push that includes malicious push‑option values. Proof‑of‑concept code has been published; GitHub patched the issue within two hours of disclosure. CVSS v3.1 base score is 9.8 (Critical). No evidence of wild‑fire exploitation has been observed.
Affected Products –
- GitHub Enterprise Cloud
- GitHub Enterprise Cloud with Data Residency
- GitHub Enterprise Cloud with Enterprise Managed Users
- GitHub Enterprise Server (versions < 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, 3.19.3)
TPRM Impact –
- Supply‑chain risk: compromised repositories can inject malicious code into downstream builds and services.
- Service continuity: successful RCE could disrupt CI/CD pipelines or alter deployment environments.
Recommended Actions –
- Verify that all GitHub Enterprise instances are running the patched versions listed above.
- Enforce least‑privilege push permissions; restrict who can add custom push‑options.
- Deploy runtime monitoring for unexpected command execution on GitHub‑hosted runners or self‑hosted agents.
- Review recent commits for unauthorized push‑option usage and re‑scan affected codebases.
- Update internal security policies to include Git‑push sanitization checks in code‑review workflows.
Source: Security Affairs – CVE‑2026‑3854 GitHub flaw enables remote code execution