GitHub Flaw Exposed Millions of Repositories to RCE
Cloud security firm Wiz has uncovered a critical remote code execution (RCE) vulnerability in GitHub, exposing millions of repositories to potential compromise. Tracked as CVE-2026-3854, this flaw affected GitHub’s internal Git infrastructure across both GitHub Enterprise Server and GitHub.com, raising significant concerns for developers and organizations worldwide.

Critical Flaw Exposed GitHub Repositories

The vulnerability, an injection flaw within GitHub’s internal protocol, allowed any authenticated user to execute arbitrary commands on GitHub’s backend servers. According to Wiz, this could be achieved with a single git push command using a standard Git client. The security firm, which utilized AI in its discovery process, noted that exploitation of this issue is straightforward.

On GitHub Enterprise Server, a successful exploit could lead to a full server compromise, granting attackers access to all repositories and internal secrets. The implications were even more severe for GitHub.com, where CVE-2026-3854 facilitated remote code execution on shared storage nodes. Wiz confirmed that millions of public and private repositories were accessible on these affected nodes.

Authentication and Patching Challenges

While the vulnerability required user authentication, GitHub clarified that any user with push access to a repository, even one they created, could leverage the flaw to execute arbitrary commands on the server. This broad access requirement meant a wide range of users could potentially exploit the weakness.

GitHub promptly addressed the vulnerability, deploying a fix to GitHub.com on March 4, the same day it was reported by Wiz. A patch for Enterprise Server followed on March 10. However, a recent report from Wiz indicated that a significant 88% of Enterprise Server instances had not yet updated to the patched version as of Tuesday, leaving many organizations exposed to this critical threat. This delay in patching highlights an ongoing challenge in enterprise security.

The security hole also impacted GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, and GitHub Enterprise Cloud with Enterprise Managed Users.

Urgent Action Required for Enterprise Server Users

Wiz has publicly disclosed the technical details of CVE-2026-3854, while GitHub has described the actions taken and its process for handling such vulnerabilities. Fortunately, GitHub’s forensic investigation determined that the flaw had not been exploited in the wild.

Despite the swift action on GitHub.com, the high percentage of unpatched Enterprise Server instances represents a substantial risk. Organizations utilizing GitHub Enterprise Server are strongly urged to apply the available patches immediately to mitigate the potential for full server compromise and data exfiltration.

Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates

RELATED ARTICLESMORE FROM AUTHOR