★ 9/10 · Dev-tools · 2026-04-28

Securing the git push pipeline: Responding to a critical remote code execution vulnerability

A critical remote code execution (RCE) vulnerability, identified as CVE-2026-3854, was discovered in the GitHub git push pipeline. The flaw allowed any user with push access to execute arbitrary commands on the server...

Captured 2026-04-28 15:30

Securing the git push pipeline: Responding to a critical remote code execution vulnerability

Summary

A critical remote code execution (RCE) vulnerability, identified as CVE-2026-3854, was discovered in the GitHub git push pipeline. The flaw allowed any user with push access to execute arbitrary commands on the server by leveraging unsanitized git push options.

Key Points

  • Vulnerability Identifier: CVE-2026-3854.
  • Affected Platforms: github.com, GitHub Enterprise Cloud (including Data Residency and Enterprise Managed Users), and GitHub Enterprise Server (GHES).
  • Exploit Vector: A single git push command utilizing crafted push options containing an unsanitized delimiter character.
  • Required GHES Updates: Administrators must upgrade to versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0, or later.
  • Audit Requirement: GHES users should inspect /var/log/github-audit.log for push operations containing the ; character within push options.
  • Exploitation Status: No evidence of exploitation was found on github.com or GitHub Enterprise Cloud prior to the patch.

Technical Details

The vulnerability stems from how metadata is passed between internal services during a git push operation. When a push occurs, metadata such as repository type and the intended processing environment is transmitted via an internal protocol. The vulnerability allowed user-supplied git push options to be incorporated into this metadata without sufficient sanitization. Because the internal metadata format utilized a delimiter character that could also be provided in user input, an attacker could inject additional fields. By chaining these injected values, an attacker could override the environment in which the push was processed and bypass the sandboxing protections designed to constrain hook execution.

The investigation also identified a secondary issue where an unnecessary code path, intended for a different product configuration, was present in the server's container image. This occurred because a change in the deployment model failed to carry forward the exclusion of this code. While the primary fix involved sanitizing the input to prevent metadata injection, the remediation also included removing this extraneous code path to implement defense in depth.

Impact / Why It Matters

Users of github.com and GitHub Enterprise Cloud are not required to take action as these services were patched on March 4, 2026. However, developers and administrators of self-hosted GitHub Enterprise Server instances must upgrade to a patched release immediately to prevent unauthorized command execution on their infrastructure.

security devops git

↳ Sources