Critical GitHub RCE Vulnerability Exposed Millions of Public and Private Repositories to Backend Server Compromise (CVE-2026-3854)
A critical injection flaw in GitHub's internal Git protocol allowed any authenticated user to execute arbitrary commands on backend servers with a single git push — exposing millions of public and private repositories on shared storage nodes.
Wiz researchers have disclosed a critical remote code execution vulnerability in GitHub's internal Git infrastructure that exposed millions of repositories across both GitHub.com and GitHub Enterprise Server. Tracked as CVE-2026-3854, the flaw allowed any authenticated user to execute arbitrary commands on GitHub's backend servers using nothing more than a standard git client and a single push command.
The vulnerability was an injection flaw in GitHub's internal protocol. The authentication requirement may appear to limit the attack surface, but in practice the bar was negligible — any user with push access to any repository, including one they created themselves, could trigger exploitation. Creating a free GitHub account and pushing to a new repository was sufficient.
On GitHub Enterprise Server, successful exploitation gave attackers full server compromise with access to all hosted repositories and internal secrets. On GitHub.com, the impact was even broader — the flaw enabled remote code execution on shared storage nodes. Wiz confirmed that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes.
The vulnerability also impacted GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, and GitHub Enterprise Cloud with Enterprise Managed Users — effectively spanning GitHub's entire product lineup.
Wiz reported the flaw to GitHub on March 4, and a fix was deployed to GitHub.com the same day. A patch for Enterprise Server followed on March 10. GitHub has conducted a forensic investigation and determined that CVE-2026-3854 was not exploited in the wild prior to remediation.
However, the Enterprise Server exposure remains a concern. Wiz reported on Tuesday that 88% of Enterprise Server instances have not yet been updated to a patched version — nearly two months after the fix became available. Any organization running an unpatched GitHub Enterprise Server instance is vulnerable to full server takeover by any authenticated user.
Wiz noted the vulnerability was discovered using AI-assisted analysis, and has published a full technical breakdown of the exploitation chain.
Mitigation:
Organizations running GitHub Enterprise Server should patch immediately — 88% of instances remain unpatched nearly eight weeks after the fix was released, and the exploitation requirements are trivially low. Any authenticated user with push access to any repository can trigger the vulnerability. Verify your Enterprise Server version against the patched releases listed in GitHub's advisory. For GitHub.com users, no action is required — the fix was deployed server-side on March 4. Organizations that self-host GitHub Enterprise should also audit repository access logs from the period between disclosure and patching for any anomalous push activity from unexpected accounts.
