GitHub Patches Severe RCE Flaw Impacting Enterprise Server Deployments

GitHub has patched a critical remote code execution vulnerability tracked as CVE-2026-3854. The flaw allowed attackers with push access to potentially compromise repositories and infrastructure using a single malicious command.

The vulnerability was discovered by Wiz through a bug bounty submission on March 4, 2026. GitHub confirmed the issue within 40 minutes and deployed a fix to GitHub.com in under two hours, highlighting the severity and urgency of the flaw.

Single git push could trigger full compromise

The exploit relied on a crafted git push command that abused improper sanitization of user-supplied options. Attackers could inject malicious input into internal server metadata and chain values to bypass sandbox protections.

Once triggered, the vulnerability enabled remote code execution on GitHub infrastructure. In practical terms, this could grant full read and write access to private repositories and expose sensitive enterprise codebases.

Security researcher Sagi Tzadik confirmed that the exploit path could access repositories hosted on affected nodes. For GitHub Enterprise Server deployments, the risk extended further, with potential for full server compromise and access to secrets.

Enterprise systems faced highest risk

The vulnerability impacted multiple GitHub environments, including GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server. While GitHub.com received a rapid fix, on-premises GHES deployments depended on administrators applying updates.

Initial data suggested that around 88% of exposed GHES instances remained unpatched shortly after disclosure. This significantly increased risk for organizations running self-hosted environments.

GitHub has since released patches across multiple supported GHES versions and urged administrators to update immediately to mitigate exposure.

No evidence of active exploitation

Despite the severity, GitHub stated there is no evidence that the vulnerability was exploited in the wild before disclosure. Only Wiz researchers executed the exploit during testing, and no customer data was accessed or exfiltrated.

The issue still ranks among the most serious SaaS vulnerabilities identified in recent years due to its potential impact on global enterprise infrastructure and source code security.

GitHub shifts focus after recent incidents

Alongside the security update, reports indicate that GitHub is preparing changes to its Copilot pricing model. The service is expected to move toward token-based pricing starting June 1.

GitHub is also prioritizing service availability following recent outages, signaling a broader effort to improve reliability across its platform.

Via Bleeping Computer