Summary
CVE-2026-3854 is a high-severity command injection vulnerability in GitHub Enterprise Server caused by improper sanitization of user-supplied git push options within internal service headers. An attacker with repository push access could craft malicious push options to inject additional metadata fields and achieve remote code execution through a single git push operation, potentially leading to full server compromise and unauthorized access to repositories and internal configuration data. The issue is fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, and 3.20.0 or later.
Urgent Actions Required
- Upgrade GitHub Enterprise Server to patched releases immediately.
- Restrict repository push access to trusted users until updates are applied.
- Review /var/log/github-audit.log for suspicious push operations or push options containing semicolons (;).
- Monitor repositories and git push activity for unusual metadata injection attempts.
- Audit systems for unexpected hook execution behavior or unauthorized configuration changes.
Which Systems Are Vulnerable to CVE-2026-3854?
Technical Overview
- Vulnerability Type: Command Injection via Git Push Option Injection
- Affected Software/Versions: GitHub Enterprise Server versions prior to:
- 3.14.25
- 3.15.20
- 3.16.16
- 3.17.13
- 3.18.7
- 3.19.4
- Affected Services:
- GitHub.com
- GitHub Enterprise Cloud
- GitHub Enterprise Cloud with Data Residency
- GitHub Enterprise Cloud with Enterprise Managed Users
- GitHub Enterprise Server
- CVSS Vector: v3.1
- Attack Vector: Network (Git push operation)
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Patch Availability: Yes, available
- Release notes - GitHub Enterprise Server 3.19 Docs
How Does the CVE-2026-3854 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2026-3854?
Vulnerability Root Cause:
The vulnerability came from unsafe handling of git push options in GitHub’s internal headers. Since delimiter characters were not properly sanitized, attackers could inject extra metadata, making malicious values appear trusted and enabling security bypass and remote code execution.
How Can You Mitigate CVE-2026-3854?
If immediate patching is delayed or not possible:
- Restrict or review push access for untrusted users on affected GitHub Enterprise Server instances.
- Monitor /var/log/github-audit.log for suspicious git push operations and push options containing semicolons (;).
- Investigate unusual push activity involving crafted push option values or unexpected metadata fields.
- Review systems for abnormal execution paths linked to git push processing.
- Upgrade to the latest supported GitHub Enterprise Server patch release as soon as possible.
Which Assets and Systems Are at Risk?
- Asset Types Affected:
- GitHub Enterprise Server instances running vulnerable versions prior to patched releases
- GitHub cloud-hosted services affected before fixes were deployed
- Shared backend systems handling git push operations and internal metadata processing
- Business-Critical Systems at Risk:
- Source code repositories containing proprietary or sensitive code
- Enterprise development environments hosted on GitHub Enterprise Server
- Internal systems storing repository data, hooks, and configuration information
- Multi-tenant GitHub environments with shared storage infrastructure
- Exposure Level:
- Internet-accessible GitHub Enterprise Server deployments with repository push access enabled
- Environments where authenticated users can perform git push operations
- Organizations using vulnerable GitHub Enterprise Server versions without updated patches
- Shared GitHub infrastructure processing untrusted git push option values
Will Patching CVE-2026-3854 Cause Downtime?
Patch application impact: Low to moderate. GitHub Enterprise Server instances require upgrading to patched versions. Some environments may need maintenance windows or restart activities during deployment.
Mitigation (if immediate patching is not possible): Restrict untrusted push access and monitor git push activity and audit logs for suspicious push options containing semicolons (;).
How Can You Detect CVE-2026-3854 Exploitation?
Exploitation Signatures:
Look for git push operations containing crafted push option values with semicolons (;) or unexpected metadata field injection in internal service headers.
Indicators of Compromise (IOCs/IOAs):
- Git push requests containing semicolons in push option values
- Unexpected metadata fields in internal service headers
- Abnormal pre-receive hook execution activity
- Command execution as the git service user
Behavioral Indicators:
- Unusual git push activity from authenticated users
- Sandbox bypass during hook execution
- Unexpected access to repositories or internal configuration data
Alerting Strategy:
- Priority: Critical
- Trigger alerts for:
- Git push operations containing semicolons in push options
- Unexpected pre-receive hook execution
- Metadata injection attempts during git push processing
Remediation & Response
- Remediation Timeline:
- Immediate: Review and restrict git push access for untrusted users on GitHub Enterprise Server.
- Short-term: Monitor /var/log/github-audit.log for git push operations containing semicolons (;) in push options.
- Post-patch: Upgrade GitHub Enterprise Server to fixed versions (3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 or later).
- Rollback Plan:
- Revert to the previous stable GitHub Enterprise Server version if the upgrade causes issues, following internal change-management procedures.
- Continue monitoring git push logs during rollback.
- Incident Response Considerations:
- Investigate git push activity involving semicolon (;) injection in push options.
- Review audit logs for abnormal metadata fields introduced during push operations.
- Check for unexpected execution paths triggered during git push processing.
- Validate whether repositories or internal configuration data were accessed during suspicious push activity.
Compliance & Governance Notes
- Audit Trail Requirement:
- Log git push operations containing semicolon (;) usage in push options
- Retain /var/log/github-audit.log entries for suspicious git push activity
- Maintain records of affected and patched GitHub Enterprise Server versions (3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 or later)
- Track version upgrade actions through change-management logs
- Policy Alignment:
- Enforce validation of user-supplied git push option values before processing in internal headers
- Strengthen monitoring of git push operations and internal metadata handling
- Ensure timely patching of GitHub Enterprise Server instances to fixed versions
- Improve incident response procedures for detecting metadata injection during git push execution
Turn Attackers into Targets with Deception-Based Defense
-
-
- Real-world deception to divert attackers from key assets
- Reduce alert fatigue and improve SOC efficiency
- Detect and trap threats early for stronger defense
-
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 8.8 | High severity vulnerability impacting GitHub Enterprise Server |
| Attack Vector | Network | Exploitable via a remote git push operation |
| Attack Complexity | Low | Exploitation possible with a single crafted git push |
| Privileges Required | Low | Requires push access to a repository |
| User Interaction | None | No user action required beyond the attacker’s push operation |
| Scope | Unchanged | Impact remains within the affected GitHub services instance |
| Confidentiality Impact | High | Can expose repositories and internal data |
| Integrity Impact | High | Allows modification and injection of internal metadata |
| Availability Impact | High | Can lead to service disruption or full system compromise (GHES) |
References:
