GitHub Vulnerability CVE-2026-3854 Affects Self-Hosted Instances

GitHub leaked webhook secrets in HTTP headers for four months. Between September and December 2025, a new webhook platform feature flag exposed secrets base64-encoded in X-Github-Encoded-Secret headers to any receiving endpoint. Fixed in January, but if you log request headers, those secrets are sitting in your logs right now. #GitHub #Security #WebSecurity #DevOps https://github.com

🚨 A critical RCE vulnerability in GitHub (CVE-2026-3854), discovered by Wiz researchers, allows remote code execution via a single malicious Git push. GitHub.com was silently patched within hours but organizations running self-hosted GitHub Enterprise must confirm their version is updated. For teams using GitHub in CI/CD or development workflows, this is a supply chain risk you cannot ignore. #cybersecurity #GitHub #RCE #SupplyChainSecurity #CISO

“Cybersecurity researchers have disclosed details of a critical security vulnerability impacting GitHub.com and GitHub Enterprise Server that could allow an authenticated user to obtain remote code execution with a single "git push" command.    The flaw, tracked as CVE-2026-3854 (CVSS score: 8.7), is a case of command injection that could allow an attacker with push access to a repository to achieve remote code execution on the instance.    "During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers," per a GitHub advisory for the vulnerability. "Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values."    Google-owned cloud security firm Wiz has been credited with discovering and reporting the issue on March 4, 2026, with GitHub validating and deploying a fix to GitHub.com within two hours.”    A critical GitHub vulnerability, CVE-2026-3854, could allow an authenticated user with repository push access to achieve remote code execution using a single git push command. The flaw came from improperly sanitized push options being passed into GitHub’s internal service headers, allowing attackers to inject metadata and potentially execute commands. GitHub patched GitHub.com within two hours, while Enterprise Server users must update to fixed versions.    The issue is serious because GitHub sits at the center of many software supply chains. Even though there is no evidence of malicious exploitation, affected organizations should patch GitHub Enterprise Server immediately, review repository access, and monitor unusual push activity. This case shows how small internal protocol assumptions can create major platform-level risks.    https://lnkd.in/gsaJzRsG #GitHubSecurity #RCE #SupplyChainSecurity #CyberSecurity #CyberCrime #Cybertronium #CybertroniumMalaysia 

𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗚𝗶𝘁𝗛𝘂𝗯 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 (𝗖𝗩𝗘-𝟮𝟬𝟮𝟲-𝟯𝟴𝟱𝟰) – 𝗔 𝗟𝗲𝘀𝘀𝗼𝗻 𝗶𝗻 𝗦𝘆𝘀𝘁𝗲𝗺 𝗗𝗲𝘀𝗶𝗴𝗻 A recent discovery by Wiz revealed a Remote Code Execution (RCE) flaw in GitHub’s internal Git infrastructure. What stands out is how simple the trigger was a single git push from an authenticated user. 𝗪𝗵𝗮𝘁 𝘄𝗲𝗻𝘁 𝘄𝗿𝗼𝗻𝗴? Internal services trusted a shared header (X-Stat) without proper validation User-controlled input (git push options) was not sanitized A delimiter-based parsing design allowed field injection Multiple components made reasonable assumptions but together, they created a critical vulnerability 𝗜𝗺𝗽𝗮𝗰𝘁 𝘖𝘯 𝘎𝘪𝘵𝘏𝘶𝘣 𝘌𝘯𝘵𝘦𝘳𝘱𝘳𝘪𝘴𝘦 𝘚𝘦𝘳𝘷𝘦𝘳: 𝘧𝘶𝘭𝘭 𝘴𝘦𝘳𝘷𝘦𝘳 𝘤𝘰𝘮𝘱𝘳𝘰𝘮𝘪𝘴𝘦 𝘖𝘯 𝘎𝘪𝘵𝘏𝘶𝘣.𝘤𝘰𝘮: 𝘳𝘪𝘴𝘬 𝘰𝘧 𝘤𝘳𝘰𝘴𝘴-𝘵𝘦𝘯𝘢𝘯𝘵 𝘦𝘹𝘱𝘰𝘴𝘶𝘳𝘦 𝘥𝘶𝘦 𝘵𝘰 𝘴𝘩𝘢𝘳𝘦𝘥 𝘪𝘯𝘧𝘳𝘢𝘴𝘵𝘳𝘶𝘤𝘵𝘶𝘳𝘦 𝗪𝗵𝗮𝘁 𝘁𝗵𝗶𝘀 𝘁𝗲𝗮𝗰𝗵𝗲𝘀 𝘂𝘀 This is less about one bug and more about how systems are built:  • Never blindly trust internal protocols  • Do not rely on upstream services for sanitization  • Be careful with delimiter-based parsing formats  • Validate data at every boundary, even inside your system Another important shift: this vulnerability was discovered using AI-assisted reverse engineering.  That changes how we should think about both offense and defense in security. 𝗔𝗰𝘁𝗶𝗼𝗻 GitHub has already been patched. GitHub Enterprise Server users should upgrade to version 3.19.3 or later. 𝘛𝘩𝘦 𝘣𝘪𝘨𝘨𝘦𝘳 𝘵𝘢𝘬𝘦𝘢𝘸𝘢𝘺 𝘪𝘴 𝘴𝘪𝘮𝘱𝘭𝘦: 𝘴𝘺𝘴𝘵𝘦𝘮𝘴 𝘳𝘢𝘳𝘦𝘭𝘺 𝘧𝘢𝘪𝘭 𝘣𝘦𝘤𝘢𝘶𝘴𝘦 𝘰𝘧 𝘰𝘯𝘦 𝘮𝘪𝘴𝘵𝘢𝘬𝘦. 𝘛𝘩𝘦𝘺 𝘧𝘢𝘪𝘭 𝘸𝘩𝘦𝘯 𝘴𝘮𝘢𝘭𝘭 𝘢𝘴𝘴𝘶𝘮𝘱𝘵𝘪𝘰𝘯𝘴 𝘭𝘪𝘯𝘦 𝘶𝘱 𝘪𝘯 𝘵𝘩𝘦 𝘸𝘳𝘰𝘯𝘨 𝘸𝘢𝘺. #CyberSecurity #GitHub #SystemDesign #DevSecOps #CloudSecurity

One of the more interesting GitHub Advanced Security updates I’ve seen recently is the addition of deployment context directly into repository properties and security alerts. You can now see which repos are actually deployed, where they’re running, and tie that back to the alerts you’re looking at without having to piece it together yourself. That changes the conversation a bit. Not every alert carries the same weight, but most tools still treat them that way. When you can quickly tell what’s tied to something live in production versus something sitting idle, prioritization gets a lot more practical. For anyone who cares about getting better signal out of their security alerts, this is a meaningful step forward. Having that extra layer of context makes it easier to focus on what actually matters and move faster when it counts. https://lnkd.in/en56tbSK

In early March, GitHub patched a critical remote code execution vulnerability (CVE-2026-3854) that could have allowed attackers to access millions of private repositories.

GitHub CVE-2026-3854: A Single Git Push Could Have Compromised Millions of Repositories. Wiz researchers disclosed CVE-2026-3854, a CVSS 8.7 command injection flaw in GitHub Enterprise Server and GitHub.com that allowed remote code execution with a single git push. GitHub patched within two hours in March 2026 and disclosed publicly in late April. https://lnkd.in/eTQGWPGy

GitHub CVE-2026-3854: A Single Git Push Could Have Compromised Millions of Repositories. Wiz researchers disclosed CVE-2026-3854, a CVSS 8.7 command injection flaw in GitHub Enterprise Server and GitHub.com that allowed remote code execution with a single git push. GitHub patched within two hours in March 2026 and disclosed publicly in late April. https://lnkd.in/eTQGWPGy

GitHub's 2026 roadmap focuses on securing GitHub Actions across three layers: 📦 Ecosystem: Deterministic dependencies and more secure publishing 🛡️ Attack surface: Policies, secure defaults, and scoped credentials 🏗️ Infrastructure: Real-time observability and enforceable network boundaries for CI/CD runners Here’s what’s coming next, and when. ⬇️ https://lnkd.in/gc5fpBe3

GitHub's critical remote code execution flaw — where a single git push command could have compromised millions of repositories — was reported on March 4 and fixed the same day for GitHub.com. But companies running self-hosted GitHub Enterprise Server had to apply a separate patch released March 6, and 88% of those installations were still unpatched when the flaw became public. GitHub.com users needed to do nothing; enterprise administrators needed to act immediately. If your organisation self-hosts GitHub and your IT team has not confirmed the patch is applied, treat the server as potentially compromised until they do. 🚨 #CyberNewsLive https://lnkd.in/e359Q_Xm