Critical GitHub Vulnerability Exposed Millions of Repositories

Summary

Researchers at Wiz discovered CVE-2026-3854, a critical remote code execution vulnerability in GitHub's internal Git infrastructure affecting both GitHub.com and GitHub Enterprise Server. The flaw allowed any authenticated user to execute arbitrary commands on backend servers via a standard git push, potentially exposing millions of public and private repositories. GitHub patched GitHub.com on March 4 and Enterprise Server on March 10, but as of the report date, 88% of Enterprise Server instances remained unpatched.

Full text

Researchers at cloud security giant Wiz discovered a critical remote code execution vulnerability in GitHub that exposed millions of repositories. The vulnerability, tracked as CVE-2026-3854, affected the code-hosting platform’s internal Git infrastructure. It impacted both GitHub Enterprise Server and GitHub.com. “By exploiting an injection flaw in GitHub’s internal protocol, any authenticated user could execute arbitrary commands on GitHub’s backend servers with a single git push command – using nothing but a standard git client,” Wiz explained. According to the security firm, which discovered the issue using AI, exploitation is easy. In the case of GitHub Enterprise Server, an attacker can exploit the vulnerability to fully compromise the server and gain access to all repositories and internal secrets. The impact was even greater on GitHub.com, where CVE-2026-3854 could have been exploited for remote code execution on shared storage nodes.Advertisement. Scroll to continue reading. “On GitHub.com, this vulnerability allowed remote code execution on shared storage nodes. We confirmed that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes,” Wiz said. While the authentication requirement may appear to mitigate the risk, GitHub explained that any user with push access to a repository, including one they created, could exploit the vulnerability to execute arbitrary commands on the server. GitHub quickly addressed the vulnerability. The company has conducted a forensic investigation and determined that it has not been exploited in the wild. In addition to GitHub.com and GitHub Enterprise Server, the security hole affected GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, and GitHub Enterprise Cloud with Enterprise Managed Users. The vulnerability was reported to GitHub on March 4, and a fix was deployed to GitHub.com on the same day. A patch for Enterprise Server was made available on March 10. However, Wiz reported on Tuesday that 88% of Enterprise Server instances had not yet been updated to a patched version. The technical details of CVE-2026-3854 have been disclosed by Wiz, and GitHub has described the actions it has taken and its process for handling such vulnerabilities. Related: Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments Related: Critical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise Related: GitHub Issues Abused in Copilot Attack Leading to Repository Takeover Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Robinhood Vulnerability Exploited for Phishing AttacksElectric Motorcycles and Scooters Face Hacking Risks to Security and Rider SafetyMedtronic Hack Confirmed After ShinyHunters Threatens Data LeakMalicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: GoogleEnergy and Water Management Firm Itron HackedFirefox Vulnerability Allows Tor User FingerprintingLocked Shields 2026: 41 Nations Strengthen Cyber Resilience in World’s Biggest ExerciseVulnerabilities Patched in CrowdStrike, Tenable Products Latest News Fresh LiteLLM Vulnerability Exploited Shortly After DisclosureHundreds of Internet-Facing VNC Servers Expose ICS/OTCheckmarx Confirms Data Stolen in Supply Chain AttackIranian Cyber Group Handala Targets US Troops in Bahrain38 Vulnerabilities Found in OpenEMR Medical SoftwareChrome 147, Firefox 150 Security Updates Rolling OutCyber Insurance Data Gives CISOs New Ammo for Budget TalksVimeo Confirms User and Customer Data Breach Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveMongoDB has appointed Doug Bowers as Chief Information Security Officer.Ben Wilkens has been promoted to Director of Cybersecurity at NMFTA.Cato Networks has appointed Meital Koren as Chief Legal Officer.More People On The MoveExpert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-3854

Entities