Breaking: Critical Vulnerability in GitHub's Git Push Pipeline Exposed Servers to Remote Code Execution
On March 4, 2026, GitHub received a bug bounty report from security researchers at Wiz detailing a critical remote code execution (RCE) vulnerability affecting both github.com and GitHub Enterprise products. The flaw allowed any user with push access to a repository—including one they created themselves—to execute arbitrary commands on the GitHub server handling their git push operation.
GitHub's security team validated the finding within 40 minutes and deployed a fix to github.com just 75 minutes later, at 7:00 p.m. UTC that same day. A forensic investigation concluded that no exploitation had occurred before the patch was applied.
"This was a critical issue requiring immediate action, and our team moved with exceptional speed to contain and remediate it," said a GitHub spokesperson. "We are grateful to the Wiz researchers for their responsible disclosure."
Background: How the Attack Worked
The vulnerability stemmed from how git push options—a legitimate feature allowing clients to send key-value strings during a push—were handled in internal metadata. When a user pushes code, multiple services communicate using an internal protocol that relies on delimiters.
Attackers could craft a push option containing an unsanitized delimiter character, injecting additional fields into the metadata. By chaining several injected values, researchers at Wiz showed it was possible to override the processing environment, bypass sandboxing protections that normally constrain hook execution, and ultimately execute arbitrary commands on the server.
The attack required only a single git push command with a specially crafted push option, making it trivially easy to exploit once the technique was known.
Immediate Response and Patches
After identifying the root cause at 5:45 p.m. UTC on March 4, GitHub's engineering team developed and deployed a fix to github.com by 7:00 p.m. UTC. The fix ensures that all user-supplied push option values are properly sanitized and can no longer influence internal metadata fields.
For GitHub Enterprise Server (GHES) customers, patches are available today across all supported releases: 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0, or later. The vulnerability has been assigned CVE-2026-3854.
GitHub strongly urges all GHES administrators to upgrade immediately. The affected products include:
- github.com
- GitHub Enterprise Cloud
- GitHub Enterprise Cloud with Data Residency
- GitHub Enterprise Cloud with Enterprise Managed Users
- GitHub Enterprise Server
What This Means for Users and Administrators
For github.com users, no action is required—the fix has been applied server-side. However, any organization using GitHub Enterprise Server should treat this as a critical priority and upgrade to the latest patched version immediately.
While there is no evidence of exploitation in the wild, the simplicity of the attack vector means that unpatched instances remain at high risk. GitHub's security advisory notes that the vulnerability could have allowed an attacker to take full control of the server handling the git push, potentially compromising repositories, secrets, and infrastructure.
"The speed of the response demonstrates the maturity of GitHub's security operations and the importance of proactive bug bounty programs," commented a cybersecurity analyst not affiliated with the disclosure. "Users should remain vigilant and ensure their Enterprise Server deployments are patched without delay."
GitHub has also committed to a post-incident review to prevent similar issues in the future, including enhanced sanitization of user input in all internal protocols and additional automated testing for push path components.