Detections
Analytics

CVE-2026-3854

high

Description

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.

References

https://www.theregister.com/2026/04/29/github_woah_a_genuinely_helpful/

https://www.securityweek.com/critical-github-vulnerability-exposed-millions-of-repositories/

https://www.bleepingcomputer.com/news/security/github-fixes-rce-flaw-that-gave-access-to-millions-of-private-repos/

https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854

https://thehackernews.com/2026/04/researchers-discover-critical-github.html

https://securityaffairs.com/191434/security/cve-2026-3854-github-flaw-enables-remote-code-execution.html

https://docs.github.com/en/[email protected]/admin/release-notes#3.19.4

https://docs.github.com/en/[email protected]/admin/release-notes#3.18.7

https://docs.github.com/en/[email protected]/admin/release-notes#3.17.13

https://docs.github.com/en/[email protected]/admin/release-notes#3.16.16

https://docs.github.com/en/[email protected]/admin/release-notes#3.15.20

https://docs.github.com/en/[email protected]/admin/release-notes#3.14.25

Details

Source: Mitre, NVD

Published: 2026-03-10

Updated: 2026-04-28

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

CVSS v4

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00514

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability Being Monitored