Critical GitHub Vulnerability Allows Remote Code Execution via Single Git Push
A significant security vulnerability, identified as CVE-2026-3854 with a CVSS score of 8.7, has been discovered in GitHub.com and GitHub Enterprise Server. This flaw enables authenticated users to execute remote code on the server by issuing a single git push command. The vulnerability arises from improper sanitization of user-supplied push option values during git push operations. These values were incorporated into internal service headers without adequate validation, allowing attackers to inject additional metadata fields through specially crafted push options.
The issue was reported by cloud security firm Wiz on March 4, 2026. GitHub promptly validated and deployed a fix to GitHub.com within two hours. The vulnerability has also been addressed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0, and later. There is no evidence to suggest that this vulnerability was exploited maliciously prior to the fix.
The core of the problem lies in the inadequate sanitization of user-supplied git push options before their inclusion in the internal X-Stat header. The internal metadata format uses a semicolon as a delimiter, which can also appear in user input. This oversight allows attackers to inject arbitrary commands that the server then executes.
By chaining several injected values, researchers demonstrated that an attacker could override the environment in which the push was processed, bypass sandboxing protections that typically constrain hook execution, and ultimately execute arbitrary commands on the server.
Wiz highlighted the ease of exploiting this issue, noting that it allows remote code execution on shared storage nodes. Approximately 88% of instances were vulnerable at the time of public disclosure. The remote code execution chain involves three injections:
– Injecting a non-production rails_env value to bypass the sandbox
– Injecting custom_hooks_dir to redirect the hook directory
– Injecting repo_pre_receive_hooks with a crafted hook entry that triggers path traversal to execute arbitrary commands as the git user
With unsandboxed code execution as the git user, attackers could gain full control over the GitHub Enterprise Server instance, including filesystem read/write access and visibility into internal service configurations.
In GitHub.com, an enterprise mode flag defaults to false, rendering the custom hooks path inactive. However, since this flag is also passed in the X-Stat header, it is equally injectable using the same mechanism, leading to code execution on GitHub.com as well.
Given GitHub’s multi-tenant architecture and shared backend infrastructure, obtaining code execution on GitHub.com could enable cross-tenant exposure, effectively allowing an attacker to read millions of repositories on the shared storage node, irrespective of the organization or user.
Due to the severity of CVE-2026-3854, users are strongly advised to apply the update immediately to ensure optimal protection.
This incident underscores the importance of thorough input validation and sanitization in software development, especially in multi-service architectures where user-controlled input flows through internal protocols. Organizations are encouraged to audit how such input is handled to prevent similar vulnerabilities.
