Full Report
Cybersecurity researchers have disclosed details of a critical security vulnerability impacting GitHub.com and GitHub Enterprise Server that could allow an authenticated user to obtain remote code execution with a single "git push" command. The flaw, tracked as CVE-2026-3854 (CVSS score: 8.7), is a case of command injection that could allow an attacker with push access to a repository to achieve
Analysis Summary
# Vulnerability: GitHub RCE via "git push" Command Injection
## CVE Details
- **CVE ID:** CVE-2026-3854
- **CVSS Score:** 8.7 (High/Critical)
- **CWE:** CWE-77 (Command Injection) / CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:**
- GitHub.com
- GitHub Enterprise Cloud (including Data Residency and Managed Users)
- GitHub Enterprise Server (GHES)
- **Versions:** GHES versions prior to 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, and 3.20.0.
- **Configurations:** Systems where authenticated users have "push" access to at least one repository.
## Vulnerability Description
The flaw resides in how GitHub processes internal `X-Stat` service headers during a `git push` operation. User-supplied "push options" were not properly sanitized before being included in these headers. Because the internal protocol used a semicolon (`;`) as a delimiter—a character also allowed in user input—an attacker could perform header injection.
By chaining three specific injections, researchers could:
1. Bypass sandboxing by modifying the `rails_env`.
2. Redirect the hooks directory via `custom_hooks_dir`.
3. Use path traversal via `repo_pre_receive_hooks` to execute arbitrary commands as the `git` user.
## Exploitation
- **Status:** PoC demonstrated by Wiz researchers; no known exploitation in the wild.
- **Complexity:** Low (described as "remarkably easy" to exploit).
- **Attack Vector:** Network (Authenticated "git push").
## Impact
- **Confidentiality:** High (Full filesystem read access; potential cross-tenant exposure of millions of repositories on shared storage nodes).
- **Integrity:** High (Full filesystem write access; ability to modify code and configurations).
- **Availability:** High (Potential for full service disruption or persistent backdoor installation).
## Remediation
### Patches
GitHub has deployed fixes to GitHub.com and Enterprise Cloud. Enterprise Server users should update to the following versions:
- 3.14.25+
- 3.15.20+
- 3.16.16+
- 3.17.13+
- 3.18.8+
- 3.19.4+
- 3.20.0+
### Workarounds
No specific software workarounds were provided; immediate patching is the recommended course of action due to the ease of exploitation.
## Detection
- **Indicators of Compromise:** Unusual "push options" containing semicolons or path traversal strings (`../`).
- **Detection Methods:** Review GitHub audit logs for unconventional git push configurations and monitor backend storage nodes for unauthorized process execution under the `git` user context.
## References
- **GitHub Advisory:** hxxps[://]github[.]com/advisories/GHSA-64fw-jx9p-5j24
- **GitHub Blog:** hxxps[://]github[.]blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/
- **Wiz Research:** hxxps[://]www[.]wiz[.]io/blog/github-rce-vulnerability-cve-2026-3854