Security researchers have revealed critical vulnerability at GitHub.com and GitHub Enterprise Server that allowed an authenticated user to achieve remote code execution (CERs) with a single git push. Registered as CVE-2026-3854 with a CVSS score of 8.7, the failure was a clear case of command injection caused by the lack of sanitation of push option provided by the user before including them in an internal header (X-Stat) used by internal GitHub services.
The technical problem was that the internal format of metadata used a point and coma as delimiter, and the values provided by the user could contain that character. With specially built fields, an attacker with push permission could inject additional metadata that, when chained, overturned sandboxing protections and redirected the execution of hooks to routes controlled by the attacker. Wiz researchers demonstrated an operating chain that modified root _ env, custom _ hooks _ dir and repo _ pre _ receive _ hooks to get execution of commands such as git user and access shared storage.
Wiz reported the ruling to GitHub on 4 March 2026; GitHub responded quickly and deployed a correction to GitHub.com within hours. The corrected versions of GitHub Enterprise Server are 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0 or later. GitHub indicates that there is no evidence of known malicious exploitation, but the ease of exploitation and the potential for cross-border access between tenants in shared infrastructure makes the finding a serious risk for business and multi-tenant environments.
The practical implications go beyond the classic back door: with unrestricted CERs such as git user in shared storage nodes, an attacker can read and write repositories from multiple organizations, expose secrets, and compromise integrity and availability of software supply chains. In addition, the incident highlights a recurrent architectural risk: when several services in different languages share internal protocols with different assumptions about the data format, these assumptions become an attack surface.
If you manage GitHub Enterprise Server, the immediate and non-negotiable action is to update to one of the corrected versions mentioned above. For GitHub.com users, GitHub applied the mitigation on the public platform, but it still suits hearing access and recent activity, rotate tokens and keys with high privileges, and check logs for atypical puches or use unusual push options. In all cases, reduce to a minimum the number of accounts with direct push permission to protected branches and require automated revisions from CI for deployment.
Beyond the patch, response and detection measures are recommended: verify the integrity of critical repositories, inspect hooks and settings on servers, search for changes in configuration files or hooks directories, review audit flows and alerts, and, if there are commitment signals, activate the incident response plan, isolate affected instances and restore from secure known copies. It is also prudent to rotate service credentials (tokens, SSH keys, deployment keys) associated with sensitive repositories.
In terms of long-term prevention, organisations and suppliers should strengthen the principle of in-depth defence: validation and comprehensive sanitation of any user input, avoid internal formats that depend on ambiguous delimiters, multi-tenant storage segmentation, and fuzzing and cross-review tests at points where several services interpret the same protocol. Equipment that build distributed architectures should audit how user-controlled data flow through internal protocols and what format assumptions each service does.
Finally, those who manage repositories should be kept informed by reading official communications and technical documentation: GitHub's safety notices page is a good starting point for checking affected details and versions ( https: / / github.com / advices), and git documentation on push options helps to understand how these options can travel in a push ( https: / / git-scm.com / docs / git-push # _ push _ options). For technical analysis and discoverer recommendations, the firm's research page that reported the failure also provides operational context on the operating chain and recommended mitigation ( https: / / www.wiz.io / blog).
In short, CVE-2026-3854 is a reminder that even daily operations like a git push can become commitment vectors if the inputs are not validated at all points of the infrastructure. Now, check your telemetry and tighten your permissions: exposure is real and prevention depends on both timely corrections and sustainable architectural changes.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...