Critical CVE-2026-3854 in GitHub: RCE via git push

Colleagues, a critical vulnerability (CVE-2026-3854) in GitHub enables RCE through a single git push.
- Discovered by Wiz; GitHub patched github.com within two hours.
- Cause: improper sanitization of push-options — X-Stat treated ';' as a separator, allowing injection and sandbox escape.
- Impact: github.com and GHES; patches released for multiple GHES versions — update servers.
Recommendation: install updates immediately and audit internal protocols for injection.
Why it matters: in multi-tenant architectures, RCE can grant access to data across many repositories.
How will you validate instances?
#cybersecurity #GitHub #RCE #infosec


Latest comments
No comments yet.