Critical RCE Vulnerability in GitHub's Git Push Pipeline (CVE-2026-3854) Patched Within Hours
A critical remote code execution vulnerability in GitHub's git push pipeline, discovered by Wiz researchers, allowed any user with push access to execute arbitrary commands on GitHub servers.
On March 4, 2026, GitHub received a critical vulnerability report through its Bug Bounty program from researchers at Wiz. The flaw, assigned CVE-2026-3854, affected github.com, GitHub Enterprise Cloud, and GitHub Enterprise Server (GHES). Within two hours of the report, GitHub had validated the finding, deployed a fix to github.com, and launched a forensic investigation that found no evidence of exploitation in the wild.
The vulnerability resided in how user-supplied git push options were handled within internal metadata. Git push options are a legitimate feature that allow clients to send key-value strings to the server during a push. However, the values provided by users were incorporated into internal metadata without sufficient sanitization. Because the internal metadata format used a delimiter character that could also appear in user input, an attacker could inject additional fields that downstream services would interpret as trusted internal values. By chaining several injected values together, the researchers demonstrated that an attacker could override the environment the push was processed in, bypass sandboxing protections that normally constrain hook execution, and ultimately execute arbitrary commands on the server.
The attack required only a single command: `git push` with a crafted push option that leveraged an unsanitized character. Any user with push access to a repository—including a repository they created themselves—could achieve arbitrary command execution on the GitHub server handling their git push operation. This made the vulnerability particularly dangerous, as it could be exploited by any authenticated user without special privileges.
GitHub's security team immediately began validating the bug bounty report. Within 40 minutes, they had reproduced the vulnerability internally and confirmed its critical severity. With the root cause identified at 5:45 p.m. UTC on March 4, 2026, the engineering team developed and deployed a fix to github.com at 7:00 p.m. UTC that same day. The fix ensures that user-supplied push option values are properly sanitized and can no longer influence internal metadata fields. For GitHub Enterprise Server, patches were prepared across all supported releases (3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0, or later) and published under CVE-2026-3854.
A key property of the vulnerability gave GitHub confidence in its ability to detect prior exploitation. The exploit forces the server to take a code path that is never used during normal operations on github.com. GitHub logged this path and queried its telemetry for any instance of this anomalous code path being executed. The results were clear: every occurrence mapped to the Wiz researchers' own testing activity. No other users or accounts triggered this code path, and no customer data was accessed, modified, or exfiltrated as a result of this vulnerability. For GHES customers, exploitation would require an authenticated user with push access on the instance.
Beyond fixing the immediate input sanitization issue, GitHub's investigation surfaced an additional finding: the exploit worked in part because the server had access to a code path that was not intended for the environment it was running in. This code path existed on disk as part of the server's container image, even though it was only meant to be used in a different product configuration. An older deployment method had correctly excluded this code, but when the deployment model changed, the exclusion was not carried forward. GitHub has since removed the unnecessary code path from environments where it should not exist, adding defense in depth against similar future vulnerabilities.
GitHub Enterprise Cloud, GitHub Enterprise Cloud with Enterprise Managed Users, GitHub Enterprise Cloud with Data Residency, and github.com were patched on March 4, 2026, and no action is required from users of these services. For GHES customers, GitHub recommends reviewing `/var/log/github-audit.log` for push operations containing `;` in push options and upgrading to the latest patch release as soon as possible. This incident highlights the importance of rigorous input sanitization in internal protocols and the value of defense-in-depth strategies in preventing supply chain attacks on development infrastructure.