How GitHub Contained a Critical RCE Threat in the Git Push Flow

Introduction

On March 4, 2026, GitHub’s Bug Bounty program received a report from security researchers at Wiz describing a critical remote code execution vulnerability. The flaw affected multiple GitHub offerings: github.com, GitHub Enterprise Cloud (including versions with Data Residency and Enterprise Managed Users), and GitHub Enterprise Server. Within just a few hours, the GitHub security team validated the finding, deployed a fix to github.com, and conducted a thorough forensic investigation — concluding that no exploitation had occurred. This article details the incident, the swift response, and the measures being taken to prevent similar vulnerabilities in the future.

Receiving the Bug Bounty Report

The researchers demonstrated that any user with push access to a repository — even one they created themselves — could achieve arbitrary command execution on the GitHub server processing their git push. The attack required only a single command: git push with a specially crafted push option that contained an unsanitized character.

GitHub’s security team immediately began validating the report. Within 40 minutes, the vulnerability was reproduced internally and its severity confirmed as critical, prompting immediate action.

Understanding the Vulnerability

When a user pushes code to GitHub, the operation passes through multiple internal services. Metadata about the push — such as the repository type and processing environment — is shared between services using an internal protocol.

The vulnerability stemmed from how user-supplied git push options were handled within this metadata. Git push options are a legitimate feature that allow clients to send key-value strings to the server during a push. However, the values provided by the user were incorporated into the internal metadata without adequate sanitization. Because the internal metadata format used a delimiter character that could also appear in user input, an attacker could inject additional fields that a downstream service would interpret as trusted internal values.

By chaining several injected values, the researchers showed that an attacker could:

• Override the environment in which the push was processed
• Bypass sandboxing protections that normally constrain hook execution
• Execute arbitrary commands on the server

Responding to the Vulnerability

With the root cause identified on March 4, 2026, at 5:45 p.m. UTC, GitHub’s engineering team developed and deployed a fix to github.com by 7:00 p.m. UTC — less than two hours later. The fix ensures that user-supplied push option values are properly sanitized and can no longer influence internal metadata fields.

For GitHub Enterprise Server, patches were prepared across all supported releases:

• 3.14.25
• 3.15.20
• 3.16.16
• 3.17.13
• 3.18.7
• 3.19.4
• 3.20.0 or later

The vulnerability was published as CVE-2026-3854. GitHub strongly recommends that all GHES customers upgrade to the patched versions immediately.

Lessons Learned and Next Steps

This incident highlights the importance of rigorous input validation when handling user-supplied data that passes through internal systems. GitHub is committed to continuous improvement in several areas:

• Increasing fuzzing and automated testing of internal metadata handling code
• Enhancing the review process for how user inputs interact with trusted internal protocols
• Strengthening sandbox configurations to provide deeper defense-in-depth

The rapid response — from validation to fix in under two hours — was made possible by a well-coordinated cross-team effort and the proactive reporting from the security research community via the Bug Bounty program. GitHub thanks Wiz for their responsible disclosure and collaboration.

For more details, consult the official advisory or the GHES release notes. Stay secure.