GitHub Rushes Patch for Critical Remote Code Execution Bug in Git Push Pipeline
GitHub patched critical RCE via git push options within hours. No exploitation found. GHES patches available. CVE-2026-3854.
Critical Git Push Vulnerability Patched Within Hours
GitHub has deployed an emergency fix for a critical remote code execution (RCE) vulnerability in its git push pipeline. The flaw, reported through the company's bug bounty program on March 4, 2026, could have allowed any user with push access to a repository to execute arbitrary commands on GitHub servers. There is no evidence the vulnerability was ever exploited.
“We received a detailed report from Wiz researchers showing how a specially crafted push option could bypass sandbox protections,” said Jill Smith, Senior Security Engineer at GitHub. “Our team validated and resolved the issue in under two hours, a testament to our incident response process.” The fix for github.com was live by 7:00 PM UTC the same day.
Background
The vulnerability stemmed from how GitHub processes metadata during a git push operation. When a user pushes code, internal services exchange metadata using a delimiter-based protocol. Push options—a deliberate Git feature allowing users to send key-value strings—were incorporated into that metadata without proper sanitization.
An attacker could inject delimiter characters through push options to add malicious fields interpreted as trusted internal values. By chaining several of these injections, researchers from Wiz demonstrated full command execution. “It required just one command: git push with a crafted option that included an unsanitized character,” explained Dr. Amit Cohen, Wiz security researcher.
The bug affected all GitHub environments: github.com, GitHub Enterprise Cloud (including Data Residency and Enterprise Managed Users), and GitHub Enterprise Server. GitHub published CVE-2026-3854 and released patches for all supported GHES versions (3.14.25 and later). Customers are strongly urged to upgrade immediately.
What This Means
For cloud users, no action is required; the fix is already in effect. Enterprise Server administrators must apply the available patches to prevent potential exploitation. While no malicious activity was detected, the vulnerability's criticality means immediate patching is essential.
This incident underscores the risks in implicit trust of user input during internal data flows. GitHub's rapid response—40 minutes to reproduce, two hours to deploy—demonstrates effective security procedures, but the flaw's existence highlights the need for continued vigilance in code processing pipelines. The company has committed to additional sanitization checks and enhanced monitoring of push-related systems.