Critical RCE in GitHub (CVE‑2026‑3854) Enables Remote Code Execution via Single Git Push
What It Is – A critical command‑injection flaw in GitHub.com and GitHub Enterprise Server that lets an authenticated user with push rights execute arbitrary code on the server with a single git push. The vulnerability is tracked as CVE‑2026‑3854 and carries a CVSS 8.7 (High).
Exploitability – Requires valid repository push credentials; no public exploit code released, but proof‑of‑concept exists and the attack surface is low‑complexity for insiders or compromised accounts.
Affected Products – GitHub.com (SaaS) and GitHub Enterprise Server (self‑hosted).
TPRM Impact – Organizations that rely on GitHub for source code, CI/CD pipelines, or as a third‑party dependency face potential leakage of proprietary code, insertion of malicious binaries, and downstream supply‑chain compromise.
Recommended Actions –
- Enforce MFA and rotate all personal access tokens and SSH keys used for Git pushes.
- Apply the GitHub‑issued patch immediately (or upgrade Enterprise Server to the patched version).
- Restrict push permissions to the minimum required set of users and service accounts.
- Enable GitHub’s “push protection” and audit logs; monitor for anomalous push activity.
- Review CI/CD pipelines for any steps that could be hijacked by injected code.
Source: The Hacker News