top of page
perceptive_background_267k.jpg

Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854)

Published:

28 april 2026 om 15:30:00

Alert date:

28 april 2026 om 16:02:02

Source:

wiz.io

Click to open the original link from this advisory

Web Technologies, Zero-Day Vulnerabilities, Enterprise Applications

Wiz Research discovered a critical remote code execution vulnerability (CVE-2026-3854) affecting both GitHub.com and GitHub Enterprise Server. The flaw exists in GitHub's internal git infrastructure, potentially allowing attackers to execute arbitrary code on affected systems. This represents a significant security risk given GitHub's widespread use for code hosting and collaboration across the software development community.

Technical details

CVE-2026-3854 exploits an injection flaw in GitHub's internal X-Stat header protocol. The vulnerability occurs when git push options containing semicolons are copied directly into the X-Stat header without sanitization. Since semicolon is the field delimiter, attackers can inject new fields that override security settings due to last-write-wins semantics. The attack chain involves: 1) Injecting rails_env to bypass sandbox restrictions, 2) Injecting custom_hooks_dir to control hook script directory, 3) Injecting repo_pre_receive_hooks with path traversal to execute arbitrary binaries. On GitHub.com, an additional enterprise mode flag injection is required. The vulnerability allows RCE as the git service user with filesystem access to all repositories on shared storage nodes.

Mitigation steps:

GitHub.com users: No action required - GitHub has mitigated this issue
GitHub Enterprise Server: Upgrade immediately to GHES version 3.19.3 or later
GHES administrators should upgrade to fixed versions: 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, or 3.19.3
Wiz customers can use the pre-built query in Wiz Threat Center to identify vulnerable GHES instances
Monitor for suspicious git push operations with unusual push options containing semicolons
Audit multi-service architectures for similar input sanitization issues in internal protocols

Affected products:

GitHub.com
GitHub Enterprise Server <= 3.19.1
GitHub Enterprise Server versions 3.14.x
3.15.x
3.16.x
3.17.x
3.18.x
3.19.x

Related links:

https://github.blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/
https://app.wiz.io/boards/threat-center/wiz-adv-2026-026

Related CVE's:

Related threat actors:

IOC's:

Git push commands with semicolon-containing push options (-o parameter), X-Stat header field injection patterns containing security field overrides, Push options containing rails_env, custom_hooks_dir, or repo_pre_receive_hooks field injections, Git push commands targeting GitHub repositories with malformed push option values

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page