cbcvebase.
CVE-2026-3854
published 2026-03-10

CVE-2026-3854: An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a…

PriorityP277high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
24.46%
97.6th percentile
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.

Affected

12 ranges
VendorProductVersion rangeFixed in
githubenterprise_server< 3.14.243.14.24
githubenterprise_server3.14.0 – 3.14.24
githubenterprise_server>= 3.15.0 < 3.15.193.15.19
githubenterprise_server3.15.0 – 3.15.19
githubenterprise_server>= 3.16.0 < 3.16.153.16.15
githubenterprise_server3.16.0 – 3.16.15
githubenterprise_server>= 3.17.0 < 3.17.123.17.12
githubenterprise_server3.17.0 – 3.17.12
githubenterprise_server>= 3.18.0 < 3.18.63.18.6
githubenterprise_server3.18.0 – 3.18.6
githubenterprise_server>= 3.19.0 < 3.19.33.19.3
githubenterprise_server3.19.0 – 3.19.3

Detection & IOCsextracted from sources · hover to see the quote

otheruser_operator_mode=bool:true
commandgit push --push-option=<crafted_value>
versionGHES 3.19.1
  • Monitor git push operations for push option values containing semicolons, which is the delimiter character used in the internal X-Stat header format and the injection vector for this vulnerability.
  • Alert on git push operations that result in 'Operator mode enabled.' appearing in remote output, as this indicates successful injection of the user_operator_mode=bool:true field via the X-Stat header.
  • Detect exploitation attempts by monitoring for injected X-Stat header fields: rails_env (non-production value), custom_hooks_dir (arbitrary path), and repo_pre_receive_hooks (crafted hook entry with path traversal sequences).
  • On GHES, monitor for unexpected process execution under the 'git' service user (uid=500, gid=500) that is not part of normal hook execution, as this is the user context achieved by successful exploitation.
  • Audit internal service traffic for anomalous X-Stat header values, particularly those containing semicolons followed by field names such as rails_env, custom_hooks_dir, or repo_pre_receive_hooks, which indicate header injection attempts.
  • ·Exploitation requires the attacker to have push access to at least one repository on the target instance; unauthenticated or read-only users cannot exploit this vulnerability.
  • ·GitHub.com has already been patched; no action is required for GitHub.com users. Only GitHub Enterprise Server administrators need to apply patches.
  • ·At the time of public disclosure, approximately 88% of reachable GHES instances remained unpatched and vulnerable.
  • ·Forensic investigation found no evidence of malicious exploitation prior to Wiz's disclosure; all anomalous code path triggers were attributable solely to Wiz researchers' testing.
  • ·On GitHub.com, successful RCE grants access to shared storage nodes, enabling cross-tenant read access to millions of repositories across different users and organizations on the same node.
  • ·On GHES, successful exploitation grants full server compromise including filesystem read/write access and visibility into internal service configuration and all hosted repositories and secrets.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.