- A critical vulnerability (CVE-2026-3854) in GitHub allowed remote code execution via a single “git push” command.
- The flaw was a command injection issue where unsanitized push options enabled attackers to bypass sandboxing and execute arbitrary commands.
- Wiz discovered the flaw on March 4, 2026; GitHub patched the cloud service within two hours, but 88% of server instances remained vulnerable at disclosure.
- The exploit could have allowed cross-tenant exposure on GitHub.com, potentially letting an attacker read millions of repositories on a shared node.
A critical security vulnerability discovered by researchers at Google-owned cloud security firm Wiz was disclosed on April 28, 2026. This flaw impacted GitHub.com and GitHub Enterprise Server, allowing authenticated users to achieve remote code execution with a simple “git push” command.
The vulnerability, tracked as CVE-2026-3854, stemmed from improper sanitization of user-supplied push option values, according to a GitHub advisory. Consequently, attackers could inject additional metadata fields by exploiting a shared delimiter character within internal service headers.
By chaining injected values, attackers could override the processing environment and bypass sandbox protections. GitHub’s Chief Information Security Officer, Alexis Wales, explained in a blog post that this allowed arbitrary command execution on the server.
Wiz researcher Sagi Tzadik detailed the exploit chain in a company announcement. The process involved injecting a non-production rails_env value, redirecting the hook directory, and crafting a hook entry to trigger path traversal.
This granted full control as the git user, including filesystem access. Meanwhile, the issue was remarkably easy to exploit and affected shared storage nodes.
The problem also extended to GitHub.com due to an injectable enterprise mode flag. GitHub noted this could lead to cross-tenant exposure on its multi-tenant architecture.
An attacker with code execution could potentially read millions of repositories on a shared storage node. However, there is no evidence the flaw was ever maliciously exploited.
GitHub deployed a fix to its cloud service within two hours of the report on March 4. The company has also released patches for specific GitHub Enterprise Server versions.
Users are advised to apply updates immediately. Wiz encouraged teams building multi-service architectures to audit how user-controlled input flows through internal protocols.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
