GitHub patched a critical remote code execution vulnerability that could have allowed attackers to access millions of private repositories. The flaw (CVE-2026-3854), reported by Wiz, was confirmed and fixed quickly on GitHub.com, but many GitHub Enterprise Server instances remain vulnerable and must be upgraded immediately. #CVE-2026-3854 #GitHub
Keypoints
- Wiz reported CVE-2026-3854 on March 4, 2026, and GitHub reproduced and fixed the issue on GitHub.com within hours.
- The vulnerability affects GitHub.com, GitHub Enterprise Cloud variants, and GitHub Enterprise Server.
- Exploitation requires a single malicious βgit pushβ and can grant full read/write access and remote code execution via injected metadata.
- Wiz warned that millions of repositories on shared storage nodes were accessible during testing and about 88% of reachable GHES instances remain unpatched.
- GitHubβs forensic analysis found no evidence of prior exploitation and published patches for all supported GHES releases, urging immediate upgrades.