{"id":236754,"date":"2026-04-28T14:19:00","date_gmt":"2026-04-28T18:19:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/28\/researchers-discover-critical-github-cve-2026-3854-rce-flaw-exploitable-via-single-git-push\/"},"modified":"2026-04-28T16:15:15","modified_gmt":"2026-04-28T20:15:15","slug":"researchers-discover-critical-github-cve-2026-3854-rce-flaw-exploitable-via-single-git-push","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/28\/researchers-discover-critical-github-cve-2026-3854-rce-flaw-exploitable-via-single-git-push\/","title":{"rendered":"Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push"},"content":{"rendered":"

Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/04\/researchers-discover-critical-github.html<\/a><\/p>\n

Publish Date: 2026-04-28 14:19:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802Apr 28, 2026<\/span><\/span>Vulnerability \/ Software Security<\/span><\/p>\n

Cybersecurity researchers have disclosed details of a critical security vulnerability impacting GitHub.com and GitHub Enterprise Server that could allow an authenticated user to obtain remote code execution with a single “git push” command.<\/p>\n

The flaw, tracked as CVE-2026-3854<\/strong> (CVSS score: 8.7), is a case of command injection that could allow an attacker with push access to a repository to achieve remote code execution on the instance.<\/p>\n

“During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers,” per a GitHub advisory for the vulnerability. “Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values.”<\/p>\n

Google-owned cloud security firm Wiz has been credited with discovering and reporting the issue on March 4, 2026, with GitHub validating and deploying a fix to GitHub.com within two hours.<\/p>\n

The vulnerability has also been addressed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0, or later. There is no evidence that the issue was ever exploited in a malicious context.<\/p>\n

According to GitHub, the issue affects GitHub.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server.<\/p>\n

At its core, the problem stems from the fact that user-supplied git push options are not adequately sanitized before the values were incorporated into the internal X-Stat header. Because the internal metadata format relies on a semicolon as a delimiter character that could also appear in the user input, a bad actor could exploit this oversight to inject arbitrary commands and have them executed.<\/p>\n

\"\"<\/p>\n

“By chaining several injected values together, the researchers demonstrated that an…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push https:\/\/thehackernews.com\/2026\/04\/researchers-discover-critical-github.html Publish Date:…<\/p>\n","protected":false},"author":1,"featured_media":236755,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgztlzahKA2HwUQiNDerhbX2l415JinNIW5jaU5tgskPVHqpMhba_NorYL9SSWRzLdSPjSnsxZKQic97f8H2Bx2G0Dsjb58dcdFuZoL0c5Gno3BVvYa4vi62_PNr1Qh-kBYED7YbTPw3fqQklMmnoPV0b1KYaienKHzIAtBuktMqyVCxGU0u8Hkd-zzYeNU\/s1600\/github.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,27],"class_list":["post-236754","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/236754"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=236754"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/236754\/revisions"}],"predecessor-version":[{"id":236756,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/236754\/revisions\/236756"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/236755"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=236754"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=236754"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=236754"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}