CVE-2026-3854
published 2026-03-10CVE-2026-3854: An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a…
PriorityP277high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
24.46%
97.6th percentile
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github | enterprise_server | < 3.14.24 | 3.14.24 |
| github | enterprise_server | 3.14.0 – 3.14.24 | — |
| github | enterprise_server | >= 3.15.0 < 3.15.19 | 3.15.19 |
| github | enterprise_server | 3.15.0 – 3.15.19 | — |
| github | enterprise_server | >= 3.16.0 < 3.16.15 | 3.16.15 |
| github | enterprise_server | 3.16.0 – 3.16.15 | — |
| github | enterprise_server | >= 3.17.0 < 3.17.12 | 3.17.12 |
| github | enterprise_server | 3.17.0 – 3.17.12 | — |
| github | enterprise_server | >= 3.18.0 < 3.18.6 | 3.18.6 |
| github | enterprise_server | 3.18.0 – 3.18.6 | — |
| github | enterprise_server | >= 3.19.0 < 3.19.3 | 3.19.3 |
| github | enterprise_server | 3.19.0 – 3.19.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor git push operations for push option values containing semicolons, which is the delimiter character used in the internal X-Stat header format and the injection vector for this vulnerability. ↗
- →Alert on git push operations that result in 'Operator mode enabled.' appearing in remote output, as this indicates successful injection of the user_operator_mode=bool:true field via the X-Stat header. ↗
- →Detect exploitation attempts by monitoring for injected X-Stat header fields: rails_env (non-production value), custom_hooks_dir (arbitrary path), and repo_pre_receive_hooks (crafted hook entry with path traversal sequences). ↗
- →On GHES, monitor for unexpected process execution under the 'git' service user (uid=500, gid=500) that is not part of normal hook execution, as this is the user context achieved by successful exploitation. ↗
- →Audit internal service traffic for anomalous X-Stat header values, particularly those containing semicolons followed by field names such as rails_env, custom_hooks_dir, or repo_pre_receive_hooks, which indicate header injection attempts. ↗
- ·Exploitation requires the attacker to have push access to at least one repository on the target instance; unauthenticated or read-only users cannot exploit this vulnerability. ↗
- ·GitHub.com has already been patched; no action is required for GitHub.com users. Only GitHub Enterprise Server administrators need to apply patches. ↗
- ·At the time of public disclosure, approximately 88% of reachable GHES instances remained unpatched and vulnerable. ↗
- ·Forensic investigation found no evidence of malicious exploitation prior to Wiz's disclosure; all anomalous code path triggers were attributable solely to Wiz researchers' testing. ↗
- ·On GitHub.com, successful RCE grants access to shared storage nodes, enabling cross-tenant read access to millions of repositories across different users and organizations on the same node. ↗
- ·On GHES, successful exploitation grants full server compromise including filesystem read/write access and visibility into internal service configuration and all hosted repositories and secrets. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
A Framework for AI Threat Readiness
blogs_wiz·2026-05-08
CVE-2026-3854 A Framework for AI Threat Readiness
Recent and continued advancements in AI models have fundamentally changed how vulnerabilities are found and exploited. Published research, including our own AI cyber model arena , has shown that frontier models can now autonomously discover zero-day vulnerabilities, generate working exploits, and chain multiple weaknesses together – changing the scale and speed at which risk emerges.
The pace is still accelerating: more vulnerabilities will be discovered and disclosed, and the time between discovery and exploitation will continue to shrink . In the short term, exploit development accelerates. In the medium term, the volume of AI-discovered vulnerabilities increases. Over time, security must adapt to continuous, AI-driven discovery and exploitation.
We believe this is ultimately a very po
Hackernews
⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
blogs_hackernews·2026-05-04·CVSS 9.3
CVE-2026-41940 [CRITICAL] ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
This week, the shadows moved faster than the patches.
While most teams were still triaging last month’s alerts, attackers had already turned control panels into kill switches, kernels into open doors, and open-source pipelines into silent delivery systems.
The game has shifted from breach to occupation. They’re living inside SaaS sessions, pushing code with trusted commits, and scaling operations like legitimate businesses — except their product is chaos. And the underground is getting uncomfortably professional.
Here’s the full week
Bleepingcomputer
GitHub fixes RCE flaw that gave access to millions of private repos
blogs_bleepingcomputer·2026-04-29·CVSS 8.7
CVE-2026-3854 [HIGH] GitHub fixes RCE flaw that gave access to millions of private repos
## GitHub fixes RCE flaw that gave access to millions of private repos
## Sergiu Gatlan
In early March, GitHub patched a critical remote code execution vulnerability ( CVE-2026-3854 ) that could have allowed attackers to access millions of private repositories.
The flaw was reported on March 4, 2026, by researchers at cybersecurity firm Wiz through GitHub's bug bounty program. GitHub Chief Information Security Officer Alexis Wales said the company's security team reproduced and confirmed the vulnerability within 40 minutes and deployed a fix to GitHub.com less than two hours after receiving the report.
CVE-2026-3854 affects GitHub.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Serve
Wiz
Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854)
blogs_wiz·2026-04-28·CVSS 8.8
CVE-2026-3854 [HIGH] Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854)
git push
Notably, this is one of the first critical vulnerabilities discovered in closed-source binaries using AI, highlighting a shift in how these flaws are identified. Despite the complexity of the underlying system, the vulnerability is remarkably easy to exploit. On GitHub.com, this vulnerability allowed remote code execution on shared storage nodes. We confirmed that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes. On GitHub Enterprise Server, the same vulnerability grants full server compromise, including access to all hosted repositories and internal secrets.
GitHub mitigated this issue on GitHub.com within 6 hours of our report, released patches for all supported versions of GitHub Enterprise Server, an
Hackernews
Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push
blogs_hackernews·2026-04-28·CVSS 8.7
CVE-2026-3854 [HIGH] Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push
Cybersecurity researchers have disclosed details of a critical security vulnerability impacting GitHub.com and GitHub Enterprise Server that could allow an authenticated user to obtain remote code execution with a single "git push" command.
The flaw, tracked as CVE-2026-3854 (CVSS score: 8.7), is a case of command injection that could allow an attacker with push access to a repository to achieve remote code execution on the instance.
"During a git push operation, user-supplied push option values were not properly sanitized before bei
Wiz
CVE-2026-3854 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-3854 [HIGH] CVE-2026-3854 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3854 :
GitHub Enterprise Server vulnerability analysis and mitigation
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3
Wiz
CVE-2026-3306 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-3306 [HIGH] CVE-2026-3306 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3306 :
GitHub Enterprise Server vulnerability analysis and mitigation
An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value updates were applied without verifying the actor's repository write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3.
Source : NVD
## 5.3
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
GitHub Enterprise Server
Has Public Exploit No
Wiz
CVE-2025-13744 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2025-13744 [HIGH] CVE-2025-13744 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13744 :
GitHub Enterprise Server vulnerability analysis and mitigation
An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program.
Source : NVD
Wiz
CVE-2025-14046 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-14046 [HIGH] CVE-2025-14046 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14046 :
GitHub Enterprise Server vulnerability analysis and mitigation
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17
Wiz
CVE-2026-2266 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-2266 [HIGH] CVE-2026-2266 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2266 :
GitHub Enterprise Server vulnerability analysis and mitigation
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed DOM-based cross-site scripting via task list content. The task list content extraction logic did not properly re-encode browser-decoded text nodes before rendering, allowing user-supplied HTML to be injected into the page. An authenticated attacker could craft malicious task list items in issues or pull requests to execute arbitrary scripts in the context of another user's browser session. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.
Source : NVD
## 7.4
Wiz
O banco de dados CVE: inteligência de vulnerabilidade com curadoria da Wiz | Wiz
blogs_wiz·CVSS 8.8
[HIGH] O banco de dados CVE: inteligência de vulnerabilidade com curadoria da Wiz | Wiz
## Banco de dados de vulnerabilidades Wiz
Um recurso abrangente para monitorar vulnerabilidades de alto perfil em ambientes de nuvem, adaptado para equipes de segurança e profissionais de nuvem
Veja como o Wiz detecta vulnerabilidades exploráveis em cargas de trabalho na nuvem. Assista à demo de 12 minutos
## Explore por tecnologia
## Filtros populares
## Alto perfil
CVE ID
Gravidade
Pontuação
Tecnologias
Nome do componente
Exploração do CISA KEV
Tem correção
Data de publicação
CVE-2026-3854
HIGH
8.7
GitHub Enterprise Server
cpe:2.3:a:github:enterprise_server
Não
Sim
Mar 10, 2026
CVE-2026-26220
CRITICAL
9.3
Python
lightllm
Não
Não
Feb 17, 2026
CVE-2026-2006
HIGH
8.8
PostgreSQL
postgresql:13::postgresql-test-rpm-macros
Não
Sim
Feb 12, 2026
CVE-2026
Wiz
CVE-2026-1355 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.0
CVE-2026-1355 [MEDIUM] CVE-2026-1355 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1355 :
GitHub Enterprise Server vulnerability analysis and mitigation
A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user’s repository migration export due to a missing authorization check in the repository migration upload endpoint. By supplying the migration identifier, an attacker could overwrite or replace a victim’s migration archive, potentially causing victims to download attacker-controlled repository data during migration restores or automated imports. An attacker would require authentication to the victim's GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.2, 3.18.5, 3.
Wiz
CVE-2026-1999 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-1999 [HIGH] CVE-2026-1999 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1999 :
GitHub Enterprise Server vulnerability analysis and mitigation
A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to access internal services bound to loopback or unspecified addresses, potentially disrupting background job processing, accessing administrative endpoints, metrics, and profiling data, or manipulating job queues. Exploitation required an authenticated user with permissions to configure webhooks (repository, organization, or GitHub App administrator privileges). This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.14.22, 3.15.17, 3.16.13, 3.17.10, 3.18.4, and 3.19.1. This vulnerability was reported via the GitHub Bug Bount
Wiz
CVE-2026-3582 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-3582 [HIGH] CVE-2026-3582 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3582 :
GitHub Enterprise Server vulnerability analysis and mitigation
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user must have had existing access to the repository through organization membership or as a collaborator for the vulnerability to be exploitable. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.16.15, 3.17.12, 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.
Source : NVD
## 5.3
Score
Published March 10, 2026
Seve
Wiz
CVE-2026-0573 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-0573 [HIGH] CVE-2026-0573 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0573 :
GitHub Enterprise Server vulnerability analysis and mitigation
An URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive authorization tokens. The repository_pages API insecurely followed HTTP redirects when fetching artifact URLs, preserving the authorization header containing a privileged JWT. An authenticated user could redirect these requests to an attacker-controlled domain, exfiltrate the Actions.ManageOrgs JWT, and leverage it for potential remote code execution. Attackers would require access to the target GitHub Enterprise Server instance and the ability to exploit a legacy redirect to an attacker-controlled domain. This vulnerability affected all versions of GitHub Enterprise Serve
https://docs.github.com/en/[email protected]/admin/release-notes#3.14.25https://docs.github.com/en/[email protected]/admin/release-notes#3.15.20https://docs.github.com/en/[email protected]/admin/release-notes#3.16.16https://docs.github.com/en/[email protected]/admin/release-notes#3.17.13https://docs.github.com/en/[email protected]/admin/release-notes#3.18.7https://docs.github.com/en/[email protected]/admin/release-notes#3.19.4https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
2026-03-10
Published