Back
Technology

Critical RCE Vulnerability Discovered in GitHub Infrastructure

Generated on: Last updated: 1 sources
View source

"This vulnerability earned one of the highest payouts in GitHub's bug bounty program."

A critical vulnerability, tracked as CVE-2026-3854, was discovered in GitHub's internal Git processing pipeline. The flaw allows authenticated users to achieve remote code execution (RCE) on backend systems via a specially crafted git push command.

Affected Platforms

  • GitHub.com (cloud platform)
  • GitHub Enterprise Server (GHES)

Impact

On GitHub.com, exploitation could enable RCE on shared backend storage nodes, potentially allowing access to repositories of unrelated users due to multi-tenancy. On GHES, the vulnerability could lead to full server compromise, including access to hosted repositories, configuration data, and credentials.

Discovery and Reporting

  • Discovered by: Wiz Research using AI-assisted reverse engineering
  • Reported: March 4, 2026
  • Patched (GitHub.com): Within 6 hours on the same day
  • Patched (GHES): Patches released on March 10, 2026, for versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, 3.19.3 or later
  • Public disclosure: April 28, 2026

Technical Details

The vulnerability stems from an injection flaw in the X-Stat header, a metadata structure used for communication between internal services during git push operations. User-controlled input (Git push options) was inserted into the header without proper sanitization, allowing attackers to inject additional fields that override security-critical configurations due to last-write-wins logic.

Exploitation Steps
  1. Disable sandbox protections: Alter environment settings to force execution outside secure isolation
  2. Redirect execution paths: Redefine custom directories for scripts
  3. Trigger arbitrary code execution: Inject malicious paths to execute attacker-controlled binaries

Initially, the exploit failed on GitHub.com due to enterprise-specific features being disabled by default. However, attackers could re-enable those features by injecting another field into the vulnerable header.

Response

GitHub's Chief Information Security Officer Alexis Wales stated the finding underscores the importance of collaboration between platforms and the security research community. The vulnerability earned one of the highest payouts in GitHub's bug bounty program.

Recommendations for Organizations Using GHES

  • Apply security patches immediately
  • Audit systems for unusual Git activity
  • Review access logs and repository integrity
  • Restrict unnecessary custom hook configurations

Broader Implications

According to Wiz Research, approximately 88% of GHES instances remained unpatched at the time of publication. The vulnerability highlights risks in complex distributed systems where internal protocols are trusted without verification.