GitHub CVE-2026-3854 RCE Vulnerability Patched

🚨 A critical RCE vulnerability in GitHub (CVE-2026-3854), discovered by Wiz researchers, allows remote code execution via a single malicious Git push. GitHub.com was silently patched within hours but organizations running self-hosted GitHub Enterprise must confirm their version is updated. For teams using GitHub in CI/CD or development workflows, this is a supply chain risk you cannot ignore. #cybersecurity #GitHub #RCE #SupplyChainSecurity #CISO

Cybersecurity researchers have disclosed details of a critical security vulnerability impacting GitHub.com and GitHub Enterprise Server that could allow an authenticated user to obtain remote code execution with a single "git push" command. The flaw, tracked as CVE-2026-3854 (CVSS score: 8.7), is a case of command injection that could allow an attacker with push access to a repository to achieve remote code execution on the instance. #Cybersecurity #InformationSecurity #remote #code #execution #Server #Systems #Authentication

GitHub leaked webhook secrets in HTTP headers for four months. Between September and December 2025, a new webhook platform feature flag exposed secrets base64-encoded in X-Github-Encoded-Secret headers to any receiving endpoint. Fixed in January, but if you log request headers, those secrets are sitting in your logs right now. #GitHub #Security #WebSecurity #DevOps https://github.com

In 2026, the CI/CD pipeline has emerged as a significant security risk, particularly concerning supply chain attacks. Notably, between March and April 2026, the TeamPCP and Shai-Hulud campaigns compromised several tools, including Trivy, KICS, LiteLLM, @bitwarden/cli, and intercom-client, using similar attack vectors: - Mutable tag hijacking: Force-pushing malicious code to trusted GitHub Action tags. - Stolen GitHub PATs and publish tokens: reused for lateral movement across repositories and pipelines. - Runner memory scanning: Recovering secrets from runner memory that are masked in logs but still present at runtime. - Exfiltration via the victim’s own private GitHub repositories, blending into trusted outbound traffic and often bypassing egress controls. These attacks can execute without modifying application code directly and often avoid exposing secrets in logs. To address this issue, François Proulx and boostsecurity.io have developed SmokedMeat, an open-source red team framework designed to run this specific kill chain against your organization. It functions similarly to Metasploit but focuses on GitHub Actions: - Recon: Scans workflows for injection flaws and over-permissive tokens - Exploit: Auto-crafts payloads via PR, issue, or comment - Post-exploit: Sweeps runner memory for masked secrets - Pivot: Exchanges OIDC tokens for AWS/GCP/Azure access For more information, check out the blog: https://lnkd.in/ghxGBxrC Explore the GitHub repository: https://lnkd.in/gGNQ54sM

Building in public is the only way to navigate a 2026 job market. 🛡️ I’ve officially launched my Enterprise Security & GRC Home Lab on GitHub. As an MBA in IT Management and Certified Ethical Hacker (CEH), I’m using this to bridge the gap between technical discovery and business-level risk mitigation. The Environment: 🔹 Windows 11 & Ubuntu Server: Hardened targets for testing GPOs and NIST/CIS benchmarks. 🔹 Kali Linux & Parrot OS: Offensive nodes for vulnerability research and security auditing. The Goal: Providing firms with the security maturity they need through fractional advisory and rapid risk assessments. Check out the architecture here: 👉 github.com #Cybersecurity #GRC #vCISO #ITManagement #CEH #InfoSec

A critical vulnerability hit GitHub this week. CVE-2026-3854. Authenticated users could run arbitrary commands on the backend with a single git push. GitHub.com was patched fast. 88% of self-hosted GitHub Enterprise instances are still vulnerable. Companies set up self-hosted infrastructure as a project. Install it. Configure it. Walk away. Then a year goes by. The patches stop getting applied. The team rotates. Nobody owns it. The thing keeps running because the people who built it left it stable. That works until it doesn't. The same shape shows up everywhere in small business automation. A VPS running n8n. A Docker container with a webhook handler somebody set up two years ago. A Zapier account with 40 zaps and three former employees as the email contacts. An audit catches the version drift, the credentials sitting in plain text, the workflow paused since March, the API key that should have been rotated. If you've got self-hosted anything in your stack and you haven't audited it this year, you're the 88%. #automation #cybersecurity #smallbusiness #infosec

Built an end-to-end SOC lab in Azure to detect SSH brute-force attacks. - Onboarded a Linux server using Azure Arc - Collected authentication logs with Log Analytics - Simulated failed SSH login attempts - Built KQL detections and Azure Monitor alerts - Created a workbook dashboard for visibility This was a great hands-on project for learning real-world security monitoring and detection engineering. GitHub: https://lnkd.in/eeaUKXeH #cybersecurity #soc #azure #siem #kql

One of the more interesting GitHub Advanced Security updates I’ve seen recently is the addition of deployment context directly into repository properties and security alerts. You can now see which repos are actually deployed, where they’re running, and tie that back to the alerts you’re looking at without having to piece it together yourself. That changes the conversation a bit. Not every alert carries the same weight, but most tools still treat them that way. When you can quickly tell what’s tied to something live in production versus something sitting idle, prioritization gets a lot more practical. For anyone who cares about getting better signal out of their security alerts, this is a meaningful step forward. Having that extra layer of context makes it easier to focus on what actually matters and move faster when it counts. https://lnkd.in/en56tbSK

Introducing PoCWatch 🔎 I’ve built a live triage dashboard that fetches newly published CVEs in real time enriched with: 🔹 EPSS exploit‑likelihood scores 🔹 NVD reference tags & affected products 🔹 Links to public PoCs on GitHub Built to answer the only question that matters during a vulnerability scramble: 💥 Which of yesterday’s CVEs already have working exploits? The dashboard is designed to make vulnerability triage faster and more evidence‑driven, helping teams focus on what’s actually being exploited. 🛠️ It’s open‑source — contributions, feedback, and collaboration are all welcome. 👉 https://lnkd.in/d_6w5Eub #Security #CyberSecurity #VulnerabilityManagement #Infosec #OpenSource #CVE

Critical GitHub RCE bug exposed millions of repositories A critical command injection flaw in GitHub's server-side git push processing pipeline, tracked as CVE-2026-3854, carried a CVSS score of 8.8 and was patched in Enterprise Server versions 3.14.25 through 3.20.0. The vulnerability resided in an internal component called X-STAT, where crafted push requests could inject arbitrary commands into backend execution. On GitHub.com, this enabled remote code execution on shared storage nodes with access to millions of public and private repositories across tenant boundaries. For self-hosted Enterprise Server deployments, the flaw permitted full server compromise including all repositories and internal secrets. Wiz researchers disclosed that 88% of internet-facing Enterprise Server instances remained unpatched at the time of public disclosure, despite GitHub releasing fixes within hours of the report on March 4, 2026. The finding is notable for its reported use of AI-augmented reverse engineering tooling, IDA MCP, in identifying the vulnerability within closed-source binaries. GitHub's CISO Alexis Wales confirmed the bug earned one of the highest rewards in the company's Bug Bounty programme. This cross-tenant exposure on shared infrastructure brings into light what repository access logs GitHub retains and whether those logs would support attribution of any actual exploitation prior to the March 2026 patch window. #cybersecurity #australiancybersecurity #aics #github #rce #cve20263854 #commandinjection #bugbounty Wiz GitHub Australian Institute of Cyber Security (AICS) https://lnkd.in/gXwZzUmP