CVE-2026-3854
Description
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*range: <3.14.24
- (no CPE)range: >= 3.14.0, <= 3.19.4 (fixed in 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4)
Patches
Vulnerability mechanics
References
7- docs.github.com/en/enterprise-server@3.14/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.15/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.16/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.17/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.18/admin/release-notesnvd
- docs.github.com/en/enterprise-server@3.19/admin/release-notesnvd
- www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854nvd
News mentions
6- ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & MoreThe Hacker News · May 4, 2026
- Week in review: High-severity LPE vulnerability in the Linux kernel, cPanel 0-day exploited for monthsHelp Net Security · May 3, 2026
- Reverse Engineering With AI Unearths High-Severity GitHub BugDark Reading · Apr 29, 2026
- GitHub: Zounds, a genuinely helpful AI-assisted bug report that isn't total slop! Here, Wiz, take this wad of cashThe Register Security · Apr 29, 2026
- Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git PushThe Hacker News · Apr 28, 2026
- Securing the git push pipeline: Responding to a critical remote code execution vulnerabilityGitHub Security Lab · Apr 28, 2026