GitHub Critical RCE Vulnerability CVE-2026-3854 Discovered
Original: GitHub RCE Vulnerability: CVE-2026-3854 Breakdown
Why This Matters
Highlights AI's growing role in vulnerability discovery and critical GitHub security
Wiz Research discovered critical vulnerability CVE-2026-3854 in GitHub's git infrastructure allowing remote code execution via single git push. Affects GitHub.com and Enterprise Server. GitHub patched within 6 hours.
Wiz Research uncovered CVE-2026-3854, a critical vulnerability in GitHub's internal git infrastructure enabling remote code execution on both GitHub.com and GitHub Enterprise Server. Any authenticated user could execute arbitrary commands on backend servers using a standard git push command by exploiting an injection flaw in GitHub's internal protocol. This represents one of the first critical vulnerabilities discovered in closed-source binaries using AI. On GitHub.com, the vulnerability allowed RCE on shared storage nodes with access to millions of public and private repositories. On GitHub Enterprise Server, it grants full server compromise including all repositories and secrets. GitHub mitigated the issue on GitHub.com within 6 hours and released patches for all supported GHES versions. At time of writing, 88% of GHES instances remain vulnerable and require immediate upgrade to version 3.19.3 or later.