Key Findings

• Critical command injection vulnerability (CVE-2026-3854, CVSS 8.7) allows authenticated users to achieve remote code execution via a single git push command

• Affects GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server across multiple versions

• Flaw stems from unsanitized user-supplied git push options being embedded in internal service headers without proper delimiter handling

• Exploitation chain allows attackers to bypass sandbox protections, redirect hook directories, and execute arbitrary commands as the git user

• On GitHub.com, the vulnerability enables cross-tenant exposure potentially affecting millions of repositories on shared storage nodes

• Google-owned cloud security firm Wiz discovered and reported the issue on March 4, 2026; GitHub patched GitHub.com within two hours

• Approximately 88% of GitHub Enterprise Server instances remained vulnerable at time of public disclosure

• No evidence of malicious exploitation in the wild; no customer data compromised

Background

The vulnerability exists in how GitHub handles internal metadata exchange between services during git push operations. User-supplied push option values were being incorporated into an internal X-Stat header without adequate sanitization. This seemingly minor oversight created a critical attack surface when combined with GitHub's multi-service architecture where different languages and systems share a common internal protocol.

Technical Details of the Flaw

The core issue involves improper delimiter handling. GitHub's internal metadata format uses semicolons as delimiters, but these characters could also appear in user-supplied input. This overlap allowed attackers to inject additional metadata fields through specially crafted push option values. The internal services downstream received this manipulated data and treated it as legitimate configuration, never questioning its origin.

Exploitation Chain

Wiz researchers demonstrated a three-step injection attack that bypassed multiple security layers. First, attackers injected a non-production rails_env value to disable the sandbox environment that normally constrains hook execution. Second, they injected a custom_hooks_dir parameter to redirect the hook directory to a location they controlled. Third, they injected a repo_pre_receive_hooks entry with a crafted hook that used path traversal to execute arbitrary commands. This chain gave attackers full control as the git service user, including filesystem read and write access plus visibility into internal service configurations.

Impact on GitHub.com vs Enterprise Server

GitHub Enterprise Server proved more vulnerable because it has an enterprise mode flag set to "true" that activates custom hooks functionality. However, GitHub.com users faced a different but equally severe threat. Although the enterprise flag defaults to "false" on GitHub.com (disabling custom hooks), the flag itself is passed through the same X-Stat header and therefore equally injectable. This meant attackers could enable custom hooks on GitHub.com through the same injection mechanism, achieving code execution there as well. Due to GitHub's multi-tenant shared backend infrastructure, gaining code execution on GitHub.com allowed attackers to potentially read repositories across multiple organizations and users on the same storage node.

Patches and Versions

GitHub released fixes within two hours of receiving the report on March 4, 2026. GitHub Enterprise Server users needed to upgrade to version 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0, or later. At the time of disclosure, security researchers estimated 88% of Enterprise Server instances had not yet applied the patch, leaving the vast majority of on-premises deployments exposed.

Discovery Method and Implications

Wiz researchers used artificial intelligence tools to discover the vulnerability in GitHub's closed-source code, marking a shift in how complex vulnerabilities are being identified. The ease of exploitation combined with the difficulty of discovering it highlights an emerging threat landscape where AI-assisted analysis finds flaws that traditional methods might miss. The vulnerability also underscores a broader architectural lesson: when multiple services in different programming languages share internal protocols, the assumptions each service makes about data validation become critical security weak points.

Sources

• https://thehackernews.com/2026/04/researchers-discover-critical-github.html

• https://securityaffairs.com/191434/security/cve-2026-3854-github-flaw-enables-remote-code-execution.html