CVE-2026-3854
HIGH · 8.8 EPSS 0.3%Vendor patching urgent but no KEV listing, PoC, or confirmed exploitation signal.
What: Improper neutralization of special elements in GitHub Enterprise Server git push options allows authenticated attackers to achieve remote code execution via header injection. CVSS 8.8 HIGH.
Why it matters: GitHub patched across six versions (3.14.25 through 3.19.4) within ~3 weeks of disclosure. Vendor statement indicates no in-the-wild exploitation detected pre-patch. Not KEV-listed. Social chatter amplifies severity but confirms vendor response; no public PoC or active exploitation reported.
Where it's seen: Blog posts from security firms (Wiz), industry newsletters, and threat-tracking accounts recycling vendor advisory. Posts emphasize RCE impact and patch urgency; no defender triage questions or PoC drops observed.
RISK: HIGH — Requires push access; rapid patching completed; no active exploitation confirmed.
AttackerKB
view on attackerkb.com →An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.
Public PoCs on GitHub 15 repos
- nomi-sec/PoC-in-GitHub ★ 7687
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
- DarkFunct/TK-CVE-Repo ★ 49 · Python
TK-CVE-Repo
- cometkim/awesome-list ★ 22
My personal awesome list based on GitHub stars
- oslook/n8n-workflows ★ 4
4200 + Workflow Automation Templates are Grouped by Categories/Services for easy navigation
- lysophavin18/CVE-2026-3854-PoC ★ 2 · Python
GitHub RCE via X-Stat Push Option Injection
Articles & coverage 15 articles
- CVE-2026-3854 - Vulnerability Details - OpenCVE
An improper neutralization of special elements vulnerability in GitHub Enterprise Server lets attackers with push access to a repository cause remote code execution by injecting malicious metadata fields during a git push. The attack vector is likely local to the server through legitimate git push operations, and an attacker must have push access to the target repository to exploit the flaw. | Git
- GitHub RCE Vulnerability (CVE-2026-3854)
# GitHub RCE Vulnerability (CVE-2026-3854). A recently disclosed vulnerability (CVE-2026-3854) affects GitHub.com and GitHub Enterprise Server and may allow unauthenticated attackers to achieve remote code execution (RCE)on GitHub Infrastructure. CVE‑2026‑3854 is a sever security vulnerability caused by improper sanitization of user‑supplied git push options within GitHub’s internal Git processing
- GitHub RCE Vulnerability: CVE-2026-3854 Breakdown - Wiz
# Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854). Wiz Research uncovered a critical vulnerability (CVE-2026-3854) in GitHub's internal git infrastructure that could have affected both GitHub.com and GitHub Enterprise Server. By exploiting an injection flaw in GitHub's internal protocol, any authenticated user could execute ar
- GitHub Enterprise Server RCE (CVE-2026-3854)
Cyber-themed illustration of a push injection attack against GitHub Enterprise Server repositories, symbolizing a Remote Code Execution (RCE) flaw. # Remote Code Execution in GitHub Enterprise Server via Git Push Injection (CVE-2026-3854). A critical vulnerability (CVE-2026-3854, CVSS 8.7) was disclosed affecting GitHub Enterprise Server and GitHub.com, allowing attackers to execute arbitrary comm
- GitHub vulnerability CVE-2026-3854 allows code execution with a single git push | brief | SC Media
# GitHub vulnerability CVE-2026-3854 allows code execution with a single git push. A high-severity vulnerability, identified as CVE-2026-3854, has been discovered in GitHub that enables remote code execution through a basic git push operation. The vulnerability stems from a command injection issue, allowing an attacker with repository push access to execute arbitrary commands on vulnerable systems
› NVD details 1 CWE ·1 vendor · 7 refs expand
Description
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.
References
- https://docs.github.com/en/[email protected]/admin/release-notes#3.14.25
- https://docs.github.com/en/[email protected]/admin/release-notes#3.15.20
- https://docs.github.com/en/[email protected]/admin/release-notes#3.16.16
- https://docs.github.com/en/[email protected]/admin/release-notes#3.17.13
- https://docs.github.com/en/[email protected]/admin/release-notes#3.18.7
- https://docs.github.com/en/[email protected]/admin/release-notes#3.19.4
- https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
Top posts driving the trend
@shadowcatLabsX · 5/3/2026TEAMPCP announced alliance with LAPSUS$; addressed recent vulnerabilities and encryption methods; CVE-2026-3854 referenced in channel activity. #ThreatIntelligence #CTI #lapsus
♥ 0 · ↻ 0 · 💬 0- @kompetenztraining.bsky.socialBluesky · 5/3/2026
Benutzt hier jemand GitHub? Jeder authentifizierte User konnte per git push Kommandos auf GitHub-Backend-Servern ausführen — CVE-2026-3854, Millionen Repos betroffen. GitHub.com sofort gepatcht; 88% der Enterprise-Instanzen immer noch offen. Kein Scheiß.
♥ 0 · ↻ 0 · 💬 1 - @pvynckier.bsky.socialBluesky · 5/3/2026
88% of self-hosted GitHub servers exposed to RCE, researchers warn (CVE-2026-3854) - Help Net Security www.helpnetsecurity.com/2026/04/29/c...
♥ 0 · ↻ 0 · 💬 0 
@PVynckierX · 5/3/202688% of self-hosted GitHub servers exposed to RCE, researchers warn (CVE-2026-3854) - Help Net Security https://t.co/kP5dNgNfrX
♥ 0 · ↻ 0 · 💬 0
@TechPowerCheckX · 5/3/2026What happened: Wiz found CVE-2026-3854 in GitHub’s internal Git infrastructure. The flaw could allow remote code execution using a standard git push command. GitHub patched https://t.co/g7w2PmNLEK the same day and says it found no evidence of exploitation.
♥ 0 · ↻ 0 · 💬 1
@SinghAman21_X · 5/3/20262026 GitHub outages & CVE-2026-3854 RCE reveal scaling challenges from AI workflows. DevOps impacted by stalled PRs & Copilot issues. https://t.co/yuICq0n9sn #GitHub #DevOps #CloudSecurity
♥ 0 · ↻ 0 · 💬 0- @technoholic.bsky.socialBluesky · 5/2/2026
Cybersecurity alert: CVE-2026-3854 — a critical flaw impacting GitHub.com & Enterprise. With a single git push, authenticated users could execute remote code. CVSS 8.7. Stay alert!
♥ 0 · ↻ 0 · 💬 0 
@technoholic_meX · 5/2/2026Cybersecurity alert: CVE-2026-3854 — a critical flaw impacting https://t.co/vQAUBJ4Jfl & Enterprise. With a single git push, authenticated users could execute remote code. CVSS 8.7. Stay alert! https://t.co/RqH984qfEm
♥ 0 · ↻ 0 · 💬 0- PM@pmloik.bsky.socialBluesky · 5/2/2026
Top 3 CVE for last 7 days: CVE-2026-31431: 403 interactions CVE-2026-41940: 63 interactions CVE-2026-3854: 55 interactions Top 3 CVE for yesterday: CVE-2026-31431: 190 interactions CVE-2026-41940: 31 interactions CVE-2024-1708: 5 interactions
♥ 0 · ↻ 0 · 💬 0 - CH@ChrisShortX · 5/1/2026
GitHub RCE Vulnerability: CVE-2026-3854 Breakdown | Wiz Blog #devopsish https://t.co/tObCwvSYSa
♥ 0 · ↻ 0 · 💬 0 - @chrisshort.netBluesky · 5/1/2026
GitHub RCE Vulnerability: CVE-2026-3854 Breakdown | Wiz Blog #devopsish
♥ 0 · ↻ 0 · 💬 0 - JO@jos1727X · 5/1/2026
Researchers Discover Critical #GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push https://t.co/McJo6CEYlt
♥ 0 · ↻ 0 · 💬 0 - PA@PARAG27816153X · 5/1/2026
Critical GitHub security bug patched : GitHub fixed a major remote code execution (RCE) vulnerability (CVE-2026-3854) that could have exposed millions of repositories through a malicious git push. GitHub says no exploitation was found before patching. https://t.co/Nm0vquW3iX
♥ 0 · ↻ 0 · 💬 0 - RH@RH_ISACX · 5/1/2026
Researchers uncovered a critical vulnerability (CVE-2026-3854) in GitHub’s internal git infrastructure affecting both GitHub. com and GitHub Enterprise Server. By exploiting an injection flaw in GitHub’s internal protocol, any authenticated user could execute arbitrary commands
♥ 1 · ↻ 1 · 💬 0 - DI@diyasversionX · 5/1/2026
Now Github! lets dig: CVE-2026-3854 is a critical injection vulnerability in GitHub’s internal Git protocol that allows authenticated users to execute arbitrary code (RCE) on backend servers. CVSS SCORE-8.7 https://t.co/mIHJIpIhv0
♥ 4 · ↻ 1 · 💬 1 - TA@tatha_gautamaX · 5/1/2026
• #Hacked #Malware #Spyware #Zerodays #Ransomware #Phishing #Backdoor #RCE #RAT ☠️ • • #CyberSecurity #CyberCrime #DataHack #DataPrivacy #DataTheft #DataLeaks #DataBreach 💾 • » Researchers Discover Critical @github CVE-2026-3854 RCE Flaw Exploitable via Single Git Push
♥ 0 · ↻ 0 · 💬 0
