{"id":237149,"date":"2026-04-29T08:41:00","date_gmt":"2026-04-29T12:41:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/29\/github-fixes-rce-flaw-that-gave-access-to-millions-of-private-repos\/"},"modified":"2026-04-29T15:00:30","modified_gmt":"2026-04-29T19:00:30","slug":"github-fixes-rce-flaw-that-gave-access-to-millions-of-private-repos","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/29\/github-fixes-rce-flaw-that-gave-access-to-millions-of-private-repos\/","title":{"rendered":"GitHub fixes RCE flaw that gave access to millions of private repos"},"content":{"rendered":"<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/github-fixes-rce-flaw-that-gave-access-to-millions-of-private-repos\/\">GitHub fixes RCE flaw that gave access to millions of private repos<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/github-fixes-rce-flaw-that-gave-access-to-millions-of-private-repos\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/github-fixes-rce-flaw-that-gave-access-to-millions-of-private-repos\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-29 08:41:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.bleepingcomputer.com\">www.bleepingcomputer.com<\/a><\/p>\n<p style=\"text-align:center\">\n<p>In early March, GitHub patched a critical remote code execution vulnerability (CVE-2026-3854)\u00a0that could have allowed\u00a0attackers to access millions of private repositories.<\/p>\n<p>The flaw was reported on March 4, 2026, by researchers at cybersecurity firm Wiz through GitHub&#8217;s bug bounty program. GitHub Chief Information Security Officer Alexis Wales said the company&#8217;s security team reproduced and confirmed the vulnerability within 40 minutes and deployed a fix to GitHub.com less than two hours after receiving the report.<\/p>\n<p>CVE-2026-3854\u00a0affects GitHub.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server.<\/p>\n<p> <img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/c\/a\/as-tour-the-platform-970-x250.jpg\" alt=\"image\" style=\"margin-top: 0px;\"\/><\/p>\n<p>Successful exploitation requires only a single maliciously crafted &#8216;git push&#8217; command and can grant full read\/write access to private repositories on\u00a0GitHub.com or vulnerable GitHub Enterprise servers to\u00a0attackers with\u00a0push access.<\/p>\n<p>The vulnerability lies in how GitHub handles user-supplied options during git push operations, with values passed by users being incorporated into internal server metadata without sufficient sanitization, allowing attackers to inject additional fields trusted by the downstream service.<\/p>\n<p>As Wales explained on Tuesday, an attacker could bypass sandboxing protections and execute arbitrary code on the server handling the push by chaining multiple injected values together.<\/p>\n<p><img decoding=\"async\" alt=\"CVE-2026-3854 exploitation\" height=\"400\" src=\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1109292\/2026\/CVE-2026-3854%20exploitation.jpg\" width=\"654\"\/>CVE-2026-3854 exploitation (Wiz)<\/p>\n<p>\u200b&#8221;Exploitation could expose the codebases of nearly all of the world&#8217;s biggest enterprises, making this one of the most severe SaaS vulnerabilities ever found,&#8221; a Wiz spokesperson told BleepingComputer.<\/p>\n<p>&#8220;On GitHub.com, this vulnerability allowed remote code execution on shared storage nodes. We confirmed that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes,&#8221; Wiz security researcher Sagi Tzadik added in a Tuesday report.<\/p>\n<p>&#8220;On&#8230;<\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/github-fixes-rce-flaw-that-gave-access-to-millions-of-private-repos\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>GitHub fixes RCE flaw that gave access to millions of private repos https:\/\/www.bleepingcomputer.com\/news\/security\/github-fixes-rce-flaw-that-gave-access-to-millions-of-private-repos\/ Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":237150,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2026\/04\/29\/GitHub.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,27],"class_list":["post-237149","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/237149"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=237149"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/237149\/revisions"}],"predecessor-version":[{"id":237151,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/237149\/revisions\/237151"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/237150"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=237149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=237149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=237149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}