EXECUTIVE SUMMARY
A high-severity remote code execution vulnerability (CVE-2026-3854) in GitHub’s internal git infrastructure allows authenticated users to execute arbitrary code via a single git push. The flaw stems from improper input sanitization in internal service communication, enabling command injection and sandbox bypass. Successful exploitation could lead to full server compromise and cross-tenant data exposure, particularly in GitHub Enterprise Server environments.
- CVE: CVE-2026-3854
- CVSS: 8.7 (High)
- Active Region: Global
- Affected Sector: IT, Software Development, Cloud & DevOps Platforms
- Affected Product: GitHub.com, GitHub Enterprise Cloud, GitHub Enterprise Server (GHES ≤ 3.19.1)
- Severity: High (RCE leading to full server compromise and cross-tenant data exposure)
- Published Date: April 28, 2026
TECHNICAL DETAILS
This is a command injection vulnerability (CWE-77) caused by improper sanitization of user-controlled input in GitHub’s internal git processing pipeline. Specifically, user-supplied git push options are incorporated into an internal X-Stat header without proper validation, allowing attackers to inject arbitrary key-value pairs that can influence backend processing.
- Target: GitHub’s internal git processing components, including babeld, gitauth, gitrpcd, and pre-receive hooks, particularly in how metadata is propagated via internal headers.
- Root Cause: Failure to properly sanitize special characters (e.g., semicolon delimiters) in user-controlled input, enabling injection into trusted inter-service communication.
- Prerequisite For Exploitation: Exploitation requires an authenticated user with push access to a repository. The attacker must be able to supply crafted git……
