ScoutGet the App

GitHub fixes CVE‑2026‑3854 RCE

- GitHub said April 28 it fixed CVE-2026-3854, a remote code execution flaw that let users with push access run commands during git pushes. - GitHub reproduced the bug within 40 minutes and patched GitHub.com in under two hours; Wiz said 88% of GitHub Enterprise Server instances remained exposed. - The flaw hit GitHub.com and enterprise products, extending software supply-chain risk beyond self-hosted servers. (github.blog)

GitHub said it fixed CVE-2026-3854, a remote code execution bug that let a user with repository push access run commands on GitHub servers during a git push. (github.blog) The company said Wiz reported the flaw through GitHub’s bug bounty program on March 4, 2026, and GitHub reproduced it within 40 minutes. GitHub said it deployed a fix to GitHub.com at 7:00 p.m. UTC that day, less than two hours after identifying the root cause at 5:45 p.m. UTC. (github.blog) Wiz said the bug affected GitHub.com and GitHub Enterprise Server, and that a single crafted `git push` could trigger arbitrary command execution with a standard git client. Wiz scored the issue at 8.7 on the Common Vulnerability Scoring System. (wiz.io) The underlying bug sat in the plumbing behind a push. GitHub said user-supplied push-option values were copied into internal metadata without enough sanitization, letting an attacker inject extra fields that downstream services treated as trusted. (github.blog) (github.com) GitHub said the injected fields could override the environment used to process the push, bypass sandboxing around hook execution, and end in arbitrary command execution on the server handling the push. The company said its forensic review found no evidence of exploitation. (github.blog) Wiz said the same flaw had different blast radiuses depending on where it ran. On GitHub.com, the researchers said affected shared storage nodes exposed access to millions of public and private repositories; on GitHub Enterprise Server, they said the bug could lead to full server compromise and access to hosted repositories and internal secrets. (wiz.io) GitHub Enterprise Server administrators need patches, not just awareness. GitHub’s advisory says fixed versions include 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3, and Wiz said 88% of internet-exposed instances were still vulnerable when it published its write-up. (github.com) (wiz.io) GitHub said the report earned one of the highest rewards in its bug bounty program, and Wiz said the finding was uncovered with help from artificial intelligence tools used against closed-source binaries. The episode leaves GitHub.com users with no action to take, but it gives self-hosted customers a short patch list and a clear deadline. (github.blog) (wiz.io)

Get your own daily briefing

Scout delivers personalized news, insights, and conversations tailored to your role and industry.

Download on the App Store

Shared from Scout - Be the smartest in the room.