CVE-2026-3854
Description
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- docs.github.com/en/enterprise-server@3.14/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.15/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.16/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.17/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.18/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.19/admin/release-notesnvd
- www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854nvd
News mentions
4- ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & MoreThe Hacker News · May 4, 2026
- Week in review: High-severity LPE vulnerability in the Linux kernel, cPanel 0-day exploited for monthsHelp Net Security · May 3, 2026
- GitHub: Zounds, a genuinely helpful AI-assisted bug report that isn't total slop! Here, Wiz, take this wad of cashThe Register Security · Apr 29, 2026
- Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git PushThe Hacker News · Apr 28, 2026