Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push

Critical GitHub RCE Flaw Allows Code Execution via Single Git Push

Security researchers have publicly disclosed the technical details of CVE-2026-3854, a critical remote code execution vulnerability affecting both GitHub.com and GitHub Enterprise Server. The flaw allows any authenticated GitHub user to trigger remote code execution on the platform's server infrastructure through the act of pushing a single specially crafted commit.

The vulnerability carries a CVSS score of 8.7 (High) and has been patched by GitHub following responsible disclosure. Organizations running GitHub Enterprise Server should verify they have applied the available patch.

Vulnerability Details

Attribute	Value
CVE ID	CVE-2026-3854
CVSS Score	8.7 (High)
Type	Remote Code Execution
Attack Vector	Network
Authentication Required	Yes (any authenticated user)
Complexity	Low
Affected Systems	GitHub.com, GitHub Enterprise Server
Patch Status	Available — apply immediately

The flaw exists in GitHub's server-side git push processing pipeline. When a repository receives a push, the platform processes the incoming objects (commits, trees, blobs, and tags) through a series of server-side hooks and validation routines. The vulnerability stems from insufficient validation of object metadata or hook execution context, allowing a maliciously crafted git object to escape the intended execution sandbox and trigger arbitrary code execution under the platform's server process.

Why "One Git Push" Makes This Critical

The attack's simplicity is what elevates it to critical concern despite the CVSS 8.7 classification:

No special privileges needed — any standard GitHub user account suffices
No target interaction required — the attack fires the moment the push is processed
Automated and repeatable — the payload is embedded in the git object itself
Works on both GitHub.com and Enterprise — broad impact across cloud and self-hosted

An attacker with a free GitHub account could potentially exploit this against GitHub.com's infrastructure, or against any organization running a vulnerable version of GitHub Enterprise Server.

Attack Scenario

1. Attacker creates a GitHub account (or uses existing credentials)
2. Attacker creates a repository or is a collaborator on a target repo
3. Attacker crafts a malicious git commit object containing the exploit payload
4. Attacker executes: git push origin <branch>
5. GitHub's server-side processing receives and processes the push
6. The vulnerability is triggered during object processing/hook execution
7. Attacker achieves code execution on the GitHub server infrastructure
8. Potential outcomes:
   - Access to server-side secrets and environment variables
   - Exfiltration of private repository data
   - Modification of repository data at rest
   - Lateral movement within the GitHub infrastructure

Scope of Impact

GitHub.com (Cloud)

GitHub is the world's largest code hosting platform with:

Over 100 million developers
More than 420 million repositories
Hosting for critical open-source projects including the Linux kernel, Kubernetes, and React

An exploitable RCE on GitHub.com infrastructure could have catastrophic supply chain consequences if exploited to tamper with hosted code or CI/CD pipelines.

GitHub Enterprise Server

Organizations self-hosting GitHub Enterprise Server are directly affected. This includes:

Large enterprises managing proprietary codebases
Government and defense organizations
Financial institutions with air-gapped or compliance-controlled environments

Any organization running an unpatched GHES instance is a potential target for any authenticated user — including employees with standard developer access.

GitHub's Response

GitHub has issued a patch addressing CVE-2026-3854. The company followed its standard coordinated disclosure process and worked with the reporting researchers prior to public disclosure.

GitHub.com has been patched on the cloud platform. Enterprise Server customers must manually apply the update.

Recommended actions for GitHub Enterprise Server administrators:

# Check your current GHES version
ghe-version
 
# Apply the security patch
# (Follow your organization's standard GHES upgrade procedure)
# Download the hotpatch from GitHub Enterprise downloads portal
ghe-hotpatch <path-to-hotpatch-file>
 
# Verify patch applied successfully
ghe-version

Indicators of Exploitation

GitHub Enterprise Server administrators should monitor for:

Indicator	Description
Unexpected processes spawned by git-receive-pack	Server-side hook exploitation
Unusual outbound network connections from GHES host	C2 callback after exploitation
Anomalous repository operations in audit logs	Post-exploitation data access
Push events from unfamiliar user accounts	Attacker using created/compromised account
Server resource spikes during push operations	Exploit execution consuming resources

Broader Supply Chain Risk

CVE-2026-3854 highlights a recurring class of vulnerability in code hosting infrastructure: server-side processing of developer-supplied data. Git's object model — where complex, nested structures are transferred from client to server — creates an inherently complex attack surface.

Historical context:

CVE-2022-24765 (Git privilege escalation)
CVE-2023-22490 (Git local clone RCE)
CVE-2024-32002 (Git recursive submodule cloning RCE)

Each of these demonstrates that the git protocol and its server-side processing remain an attractive target for researchers and attackers alike.

Recommended Mitigations

For GitHub Enterprise Server Administrators

Apply the CVE-2026-3854 patch immediately — do not wait for a maintenance window
Review audit logs for suspicious push activity in the period before patching
Restrict repository creation to trusted users if possible during the patch window
Enable GHES audit log streaming for real-time visibility into push operations
Isolate the GHES host from unnecessary internal network access

For Development Teams

Verify your organization's GHES version is patched before continuing development operations
Review CI/CD pipeline secrets for potential exposure if exploitation is suspected
Rotate any secrets stored in repository environment variables as a precaution
Enable branch protection rules to limit push access to production branches

Key Takeaways

CVE-2026-3854 is a critical RCE flaw in GitHub.com and GitHub Enterprise Server
A single authenticated git push is sufficient to trigger the exploit
GitHub.com has been patched — Enterprise Server customers must apply updates manually
The vulnerability underscores the supply chain risk of server-side git processing
All GitHub Enterprise Server deployments should treat this as a priority-zero patch

Sources

Critical GitHub RCE Flaw Allows Code Execution via Single Git Push

Vulnerability Details

Attribute	Value
CVE ID	CVE-2026-3854
CVSS Score	8.7 (High)
Type	Remote Code Execution
Attack Vector	Network
Authentication Required	Yes (any authenticated user)
Complexity	Low
Affected Systems	GitHub.com, GitHub Enterprise Server
Patch Status	Available — apply immediately

Why "One Git Push" Makes This Critical

The attack's simplicity is what elevates it to critical concern despite the CVSS 8.7 classification:

No special privileges needed — any standard GitHub user account suffices
No target interaction required — the attack fires the moment the push is processed
Automated and repeatable — the payload is embedded in the git object itself
Works on both GitHub.com and Enterprise — broad impact across cloud and self-hosted

An attacker with a free GitHub account could potentially exploit this against GitHub.com's infrastructure, or against any organization running a vulnerable version of GitHub Enterprise Server.

Attack Scenario

1. Attacker creates a GitHub account (or uses existing credentials)
2. Attacker creates a repository or is a collaborator on a target repo
3. Attacker crafts a malicious git commit object containing the exploit payload
4. Attacker executes: git push origin <branch>
5. GitHub's server-side processing receives and processes the push
6. The vulnerability is triggered during object processing/hook execution
7. Attacker achieves code execution on the GitHub server infrastructure
8. Potential outcomes:
   - Access to server-side secrets and environment variables
   - Exfiltration of private repository data
   - Modification of repository data at rest
   - Lateral movement within the GitHub infrastructure

Scope of Impact

GitHub.com (Cloud)

GitHub is the world's largest code hosting platform with:

Over 100 million developers
More than 420 million repositories
Hosting for critical open-source projects including the Linux kernel, Kubernetes, and React

An exploitable RCE on GitHub.com infrastructure could have catastrophic supply chain consequences if exploited to tamper with hosted code or CI/CD pipelines.

GitHub Enterprise Server

Organizations self-hosting GitHub Enterprise Server are directly affected. This includes:

Large enterprises managing proprietary codebases
Government and defense organizations
Financial institutions with air-gapped or compliance-controlled environments

Any organization running an unpatched GHES instance is a potential target for any authenticated user — including employees with standard developer access.

GitHub's Response

GitHub has issued a patch addressing CVE-2026-3854. The company followed its standard coordinated disclosure process and worked with the reporting researchers prior to public disclosure.

GitHub.com has been patched on the cloud platform. Enterprise Server customers must manually apply the update.

Recommended actions for GitHub Enterprise Server administrators:

# Check your current GHES version
ghe-version
 
# Apply the security patch
# (Follow your organization's standard GHES upgrade procedure)
# Download the hotpatch from GitHub Enterprise downloads portal
ghe-hotpatch <path-to-hotpatch-file>
 
# Verify patch applied successfully
ghe-version

Indicators of Exploitation

GitHub Enterprise Server administrators should monitor for:

Indicator	Description
Unexpected processes spawned by git-receive-pack	Server-side hook exploitation
Unusual outbound network connections from GHES host	C2 callback after exploitation
Anomalous repository operations in audit logs	Post-exploitation data access
Push events from unfamiliar user accounts	Attacker using created/compromised account
Server resource spikes during push operations	Exploit execution consuming resources

Broader Supply Chain Risk

Historical context:

CVE-2022-24765 (Git privilege escalation)
CVE-2023-22490 (Git local clone RCE)
CVE-2024-32002 (Git recursive submodule cloning RCE)

Each of these demonstrates that the git protocol and its server-side processing remain an attractive target for researchers and attackers alike.

Recommended Mitigations

For GitHub Enterprise Server Administrators

Apply the CVE-2026-3854 patch immediately — do not wait for a maintenance window
Review audit logs for suspicious push activity in the period before patching
Restrict repository creation to trusted users if possible during the patch window
Enable GHES audit log streaming for real-time visibility into push operations
Isolate the GHES host from unnecessary internal network access

For Development Teams

Verify your organization's GHES version is patched before continuing development operations
Review CI/CD pipeline secrets for potential exposure if exploitation is suspected
Rotate any secrets stored in repository environment variables as a precaution
Enable branch protection rules to limit push access to production branches

Key Takeaways

CVE-2026-3854 is a critical RCE flaw in GitHub.com and GitHub Enterprise Server
A single authenticated git push is sufficient to trigger the exploit
GitHub.com has been patched — Enterprise Server customers must apply updates manually
The vulnerability underscores the supply chain risk of server-side git processing
All GitHub Enterprise Server deployments should treat this as a priority-zero patch

Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push

Critical GitHub RCE Flaw Allows Code Execution via Single Git Push

Vulnerability Details

Why "One Git Push" Makes This Critical

Attack Scenario

Scope of Impact

GitHub.com (Cloud)

GitHub Enterprise Server

GitHub's Response

Indicators of Exploitation

Broader Supply Chain Risk

Recommended Mitigations

For GitHub Enterprise Server Administrators

For Development Teams

Key Takeaways

Sources

Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain

New Progress ShareFile Flaws Can Be Chained in Pre-Auth RCE Attacks

Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push

Critical GitHub RCE Flaw Allows Code Execution via Single Git Push

Vulnerability Details

Why "One Git Push" Makes This Critical

Attack Scenario

Scope of Impact

GitHub.com (Cloud)

GitHub Enterprise Server

GitHub's Response

Indicators of Exploitation

Broader Supply Chain Risk

Recommended Mitigations

For GitHub Enterprise Server Administrators

For Development Teams

Key Takeaways

Sources

Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain

New Progress ShareFile Flaws Can Be Chained in Pre-Auth RCE Attacks

Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE