A critical command-injection vulnerability (CVE-2026-3854) in GitHubβs internal protocol allowed an authenticated user with push access to achieve remote code execution on GitHub.com and GitHub Enterprise Server with a single git push. Discovered by Wiz and patched quickly on GitHub.com with GHES updates released for multiple versions, the flaw could enable sandbox bypass and cross-tenant access to shared storage, so administrators should apply the fixes immediately. #CVE20263854 #GitHub #GitHubEnterpriseServer #Wiz
Keypoints
- CVE-2026-3854 is a command-injection bug triggered by unsanitized git push option values that can lead to remote code execution.
- The vulnerability affects GitHub.com, GitHub Enterprise Cloud, and multiple GitHub Enterprise Server versions.
- Wiz discovered and reported the issue on March 4, 2026, and GitHub patched GitHub.com within two hours while releasing GHES fixes.
- The exploit chain injects rails_env, custom_hooks_dir, and repo_pre_receive_hooks to bypass sandboxing and execute arbitrary commands as the git user.
- Administrators should apply the GHES updates immediately and audit internal protocols that pass user-controlled input through shared metadata formats.
Read More: https://thehackernews.com/2026/04/researchers-discover-critical-github.html