CVE-2026-3854

A critical 8.7 CVSS command injection flaw (CVE-2026-3854) lets attackers take over GitHub servers with a single git push. Here is what you need to know to patch your Enterprise Server.

Severity

critical

CVSS Score

8.7 / 10

Fix Status

Patch available

Published

May 5, 2026

Key Facts

›Security researchers at Wiz found a critical flaw where an attacker can execute arbitrary code on a GitHub server just by running a crafted git push.
›The bug exploits improperly sanitized semicolons in internal headers, allowing attackers to break out of sandboxes and access shared storage nodes.
›GitHub patched their cloud service within two hours, but self-hosted Enterprise Server admins must apply updates immediately to secure their instances.

Full Analysis

The "One-Push" GitHub RCE: How CVE-2026-3854 Broke the Sandbox

Deep-dive: technical breakdown, real-world impact, complete remediation steps, and expert context.

Read the full report →

← All threat reports All articles