GitHub RCE Vulnerability CVE-2026-3854 Exploited by Authenticated Users

One authenticated git push achieved remote code execution on GitHub's backend. That's CVE-2026-3854. Any GitHub user with push access to a repo could inject arbitrary commands by crafting push option values. The internal X-Stat header used a delimiter that appeared in user input. One crafted push and the git service ran hooks with no sandbox, full filesystem access, as the git service user. GitHub.com was patched silently on March 4. Enterprise Server got a fix on March 10. Public disclosure came April 28. Seven weeks of silence while Help Net Security confirmed 88% of self-hosted GitHub Enterprise Server instances were still running the vulnerable build. If you're on GHES, you need version 3.19.3 or later. The CVSS score is 8.7. The attack doesn't need a zero-click exploit or advanced tooling. Write access to any repository is enough. The seven-week disclosure gap bothers me more than the bug. Responsible disclosure gives defenders time to patch. Running 88% of enterprise instances exposed while the vendor says nothing isn't coordinated disclosure. It's a liability transfer. When did your security team last verify which GitHub Enterprise Server version your organization is running? #AppSec #GitHub #CVE20263854 #SupplyChainSecurity #DevSecOps

🔧 GitHub uses eBPF to fix a problem most teams don't even know they have until an outage hits. Here's the scenario: GitHub goes down. To fix it, you need to deploy a fix. But your deploy script pulls a binary... from GitHub. 💀 Classic circular dependency. The obvious fix? Block access to github.com from the deploy machine. But these are stateful hosts serving live traffic — you can't just cut them off. So GitHub's engineers got creative with eBPF: → They create a cGroup containing only the deployment script process → An eBPF program hooks into network egress for just that cGroup → DNS queries from the deploy script are intercepted and routed to a custom userspace proxy → The proxy evaluates domains against a blocklist and communicates results back via eBPF Maps → Bonus: the tool captures the exact process ID + command line that triggered each blocked request The result? A log line like this: 📋 WARN DNS BLOCKED domain=github.com cmd="curl github.com" This means teams immediately know what's causing the circular dependency — no guesswork, no hunting. What I love about this approach: ✅ Surgical precision — only the deploy process is sandboxed, not the whole host ✅ No iptables rules, no infra changes — just kernel-level hooks ✅ Full observability: every domain touched during a deploy is audited ✅ Bonus: cGroups also enforce CPU/memory limits on deploy scripts eBPF continues to be one of the most underrated tools in the platform engineering toolkit. #eBPF

A critical GitHub vulnerability, tracked as CVE‑2026‑3854, allowed authenticated users to achieve remote code execution (RCE) across GitHub.com and GitHub Enterprise Server using nothing more than a single malicious git push command. Why This Vulnerability Is So Severe 1. RCE Across Shared Infrastructure On GitHub.com, exploitation enabled RCE on shared storage nodes, which host data for millions of repositories. Researchers confirmed that the compromised system account had theoretical access to: private repositories proprietary codebases organizational metadata internal configuration data sensitive secrets and credentials 2. Full Server Compromise on GHES On GitHub Enterprise Server, the same flaw allowed complete server takeover, including access to all hosted repositories and internal secrets. 3. Extremely Easy to Exploit The exploit required: no special tools no elevated privileges only a standard Git client a single crafted git push command Researchers described it as “remarkably easy” to exploit. 4. Massive Exposure Window Even after GitHub patched the issue, 88% of GHES instances remained unpatched at the time of disclosure — leaving thousands of organizations exposed. This is one of the most severe architectural vulnerabilities ever discovered in GitHub, demonstrating how a single injection flaw in a shared platform can cascade into cross‑tenant exposure affecting millions of repositories globally. It also highlights a new era of AI‑assisted vulnerability discovery — this flaw was one of the first major RCEs in closed‑source binaries identified using AI‑augmented analysis.

Wiz Research Team just disclosed a critical RCE in GitHub's internal git push pipeline affecting both GitHub.com and GitHub Enterprise Server (GHES) (CVE-2026-3854). git push options are embedded verbatim into an internal X-Stat header without sanitizing semicolons. Since the header parser uses last-write-wins semantics, an authenticated user can inject arbitrary key=value fields by including a semicolon in a push option value. RCE can be achieved by chaining three injected fields together: - rails_env: bypasses the hook execution sandbox - custom_hooks_dir: redirects the hook script lookup path - repo_pre_receive_hooks: injects a hook definition with path traversal to an arbitrary binary On GHES, RCE as the git service user means full server compromise. Patch your GHES now and check /var/log/github-audit.log for push operations containing ";" in push options

Tired of manually setting GitHub secrets/variables one by one? I built a small bash script that bulk-creates GitHub environment secrets or variables from a .env file — with a masked preview before touching anything. What it does: Reads any .env format (KEY=value, KEY: value, quoted values) Auto-detects your repo if you're inside a git directory Validates the GitHub environment exists before doing anything Shows a masked preview (xxxx****xxxx) and asks for confirmation --dry-run mode to validate without creating anything Colored output + proper exit codes for CI pipelines # Secrets ./create-gh-secrets.sh .env.staging my-org/my-repo Staging --secret # Variables (auto-detect repo) ./create-gh-secrets.sh .env.production Production --variable # Just preview, don't create anything ./create-gh-secrets.sh .env.staging Staging --secret --dry-run Saved me a lot of time managing multiple environments across projects. Leaving it here in case it helps someone else. 🔗 https://lnkd.in/d4_RGYb8 #DevOps #GitHub #Bash #DeveloperTools #Automation

Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854) https://lnkd.in/dFief6JS #DevSecOps #SecDevOps #ApplicationSecurity #AppSec #CloudSecurity #CloudSec #SoftwareSecurity

🚨GitHub's CVE-2026-3854 is real but overhyped for most users, GitHub.com was patched fast, no wild exploitation found. Enterprise Server is a different story. 88% still unpatched at disclosure. The window was open. Alphonse Industries is watching. 🔗https://lnkd.in/eU5fr-Tu

Day 24 of my 30-day Claude Code series, and this is where GitHub MCP stops being a cool setup and starts being an actual workflow change. A business owner I know spends the first 20 minutes of every development session doing the same thing. Opening GitHub. Reading through issues. Switching to the terminal. Explaining to Claude what the issue said. Building the feature. Switching back to GitHub to create the PR. Writing a lazy one-liner description because she's already mentally done. Every one of those switches is friction. Small individually. Expensive over a week. MCP removes all of it. Here's the full loop workflow that changed how I work day to day. Read the GitHub issue inside Claude Code — not a copy-pasted summary, the actual issue with the real acceptance criteria. Claude plans based on the issue content plus your local codebase context combined. You approve the plan. Claude implements. You review. Claude creates the PR linked to the issue. Claude comments on the issue to say it's done. Zero context switching. Never left the terminal. Four workflow categories worth building habits around once GitHub MCP is connected. Issue-driven development. Ask Claude to read an issue and implement the feature it describes, following your CLAUDE.md conventions. Claude has the actual acceptance criteria in context, not your paraphrase of it. The output reflects what was actually asked for. PR reviews. Ask Claude to review an incoming PR for bugs, convention violations, and missing tests before you look at it yourself. You get a summary in plain English before deciding whether to dig in. Repo intelligence. Ask for a status report at the start of a session instead of clicking around GitHub for five minutes. Open issues, PRs waiting for review, anything that looks stuck. One prompt, full picture. Cross-context workflows. This is the most powerful one. Read a bug report from GitHub, trace the root cause in your local code, fix it, then comment on the issue with what was found and what was done. GitHub data plus local file context in one session. That combination didn't exist before MCP. The developers shipping fastest right now aren't working harder. They've just removed the friction between their tools. Full breakdown with exact prompts for each workflow: 👉 https://lnkd.in/g-w6kAxZ

From manual deployments → to a production-style CI/CD pipeline I built an end-to-end pipeline that automatically deploys a Node.js app on every Git push. 🔧 Stack: • Jenkins (CI/CD automation) • Docker (containerization) • Nginx (reverse proxy on port 80) • AWS EC2 + Elastic IP (stable hosting) • GitHub Webhooks (auto-trigger) ⚙️ What’s happening under the hood: GitHub → Webhook → Jenkins → Docker build → Container run → Nginx → Live app 💡 Key things I learned (the real part): • Debugging branch mismatches (main vs master) • Handling Jenkins workspace issues • Fixing Docker permission errors • Configuring Nginx reverse proxy correctly • Dealing with changing EC2 IPs → solved with Elastic IP 🌐 Live Demo: http://13.204.10.103 📂 Code: https://lnkd.in/gSJND9Zd This project pushed me beyond tutorials—into real deployment challenges and troubleshooting. Next up: Kubernetes & monitoring 🚀 #DevOps #CI_CD #Jenkins #Docker #AWS #Nginx #NodeJS #Cloud #Automation #LearningByDoing