Urgent Security Alert: Critical RCE Vulnerability in GitHub's Git Push Pipeline
On March 4, 2026, GitHub received a critical vulnerability report through its Bug Bounty program from researchers at Wiz. The flaw allowed any user with push access to a repository—including their own—to achieve arbitrary command execution on the server handling the push. GitHub validated the finding within 40 minutes, deployed a fix to github.com in under two hours, and confirmed no exploitation occurred.
“This vulnerability could have allowed an attacker to execute arbitrary commands on GitHub servers by crafting a single git push command with a malicious push option,” said a Wiz researcher involved in the discovery. “GitHub’s rapid response prevented any real-world impact.”
Background: How the Vulnerability Worked
The vulnerability exploited how user-supplied git push options were handled within GitHub’s internal metadata. Push options—an intentional feature that lets clients send key-value strings during a push—were incorporated into metadata without sufficient sanitization. The internal metadata format used a delimiter character that could also appear in user input, allowing an attacker to inject additional fields that downstream services interpreted as trusted internal values.
“By chaining several injected values together, an attacker could override the environment the push was processed in, bypass sandboxing protections that normally constrain hook execution, and ultimately execute code on the server,” explained a GitHub security engineer. The attack required only a single command: git push with a crafted push option leveraging an unsanitized character.
The vulnerable systems included github.com, GitHub Enterprise Cloud (including Data Residency and Enterprise Managed Users variants), and GitHub Enterprise Server.
GitHub's Response: Fix in Under Two Hours
At 5:45 p.m. UTC on March 4, 2026, the root cause was identified. A fix was deployed to github.com by 7:00 p.m. UTC the same day. The patch ensures user-supplied push option values are properly sanitized and can no longer influence internal metadata fields. A forensic investigation concluded there was no evidence of exploitation.
“When you have a vulnerability of this severity, every minute counts,” said a GitHub spokesperson. “Our team worked around the clock to reproduce, fix, and patch the flaw across all platforms—and we’re grateful to the Wiz researchers for responsibly disclosing it.”
Patches and CVE for GitHub Enterprise Server
GitHub has released patches for all supported GHES releases: versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0, or later. The associated CVE is CVE-2026-3854. All GHES customers are strongly urged to upgrade immediately.
- GitHub Enterprise Server – install the latest patch from your release branch.
- github.com and GitHub Enterprise Cloud – automatically updated; no action required.
What This Means for Developers and Enterprises
This incident underscores the critical importance of input sanitization in even well-audited systems. While no exploitation occurred, the vulnerability could have been used to execute arbitrary commands in GitHub’s infrastructure, potentially affecting repositories, actions, and secrets.
“This is a wake-up call for any platform that processes user-supplied data in internal protocols,” said Craig McGhee, a security researcher not involved in the disclosure. “GitHub’s response time is commendable, but the fact that such a fundamental sanitization flaw existed highlights the need for continuous security review.”
Developers and system administrators should verify they are running the latest version of GHES and review any custom git hooks or automation that might be affected. For github.com and GHEC users, no action is needed. The vulnerability report was submitted through GitHub’s Bug Bounty program, which offers rewards for responsible disclosures.
Lessons Learned and Future Prevention
GitHub has committed to improving internal metadata handling and adding more rigorous fuzzing for git-related protocols. The company is also expanding its bug bounty scope to encourage deeper security research into git integration points.
“We are implementing additional automated checks that will detect similar injection patterns in real time,” the GitHub security engineer added. “We want to ensure this class of vulnerability cannot recur.”
For more details, refer to the Background section or the upgrade instructions.