A critical vulnerability in GitHub's internal infrastructure allowed any authenticated user to execute arbitrary commands on GitHub's backend servers using nothing more than a standard git push command — potentially exposing millions of public and private repositories belonging to other users and organizations.
Discovered by Wiz Research and tracked as CVE-2026-3854, the flaw stems from an injection vulnerability in GitHub's internal X-Stat header — a semicolon-delimited protocol that passes security metadata between the platform's internal services.
When a user runs git push -o (push options), GitHub's babeld proxy embeds those user-supplied strings directly into the X-Stat header without stripping semicolons. Because the header parser uses last-write-wins logic, an attacker can simply inject a semicolon followed by a field name to silently override security-critical settings already set by the server.
From there, Wiz researcher Sagi Tzadik chained three injected fields to achieve full remote code execution: bypassing the production sandbox by overriding rails_env, redirecting the hook script directory via custom_hooks_dir, and finally delivering a path traversal payload through repo_pre_receive_hooks — forcing the system to execute an arbitrary binary as the git service user with full filesystem access.
 |
| GitHub Remote Code Execution - CVE-2026-3854 |
On GitHub Enterprise Server (GHES), this granted complete server compromise. On GitHub.com, one additional injected flag enabled enterprise-mode behavior, and the same exploit chain landed on shared storage nodes hosting repositories across millions of accounts.
Wiz confirmed that the git user's permissions allowed reading any repository on the compromised node, regardless of ownership — though the researchers say they did not access other tenants' actual data.
GitHub patched GitHub.com within six hours of the disclosure and released fixes across all supported GHES versions. However, Wiz warns that 88% of GitHub Enterprise Server instances remain unpatched at the time of publication. GHES administrators must upgrade to version 3.19.3 or later immediately.
GitHub CISO Alexis Wales called the finding rare, noting it earned one of the highest bug bounty rewards the platform offers.
Notably, the vulnerability was uncovered using AI-assisted reverse engineering through IDA MCP — marking one of the first critical flaws discovered in closed-source binaries with AI tooling.
If you run GitHub Enterprise Server, treat this as a fire drill — patch now.