Remote Code Execution Vulnerability in GitHub Enterprise Server
CVE-2026-3854

8.7HIGH

Key Information:

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-3854?

An improper neutralization of special elements vulnerability has been identified in GitHub Enterprise Server, which allows an attacker with push access to a repository to execute arbitrary code. During a 'git push' operation, user-supplied push option values were not adequately sanitized before being incorporated into internal service headers. Since the format of the internal headers utilized a delimiter character that could appear within user input, attackers could inject additional metadata fields leveraging crafted push option values, potentially affecting the security of the instance. This vulnerability was disclosed via the GitHub Bug Bounty program and has been remediated in specified versions of GitHub Enterprise Server.

Affected Version(s)

Enterprise Server 3.14.0 <= 3.14.24

Enterprise Server 3.15.0 <= 3.15.19

References

https://docs.github.com/en/enterprise-server@3.14/admin/r...

https://docs.github.com/en/enterprise-server@3.15/admin/r...

https://docs.github.com/en/enterprise-server@3.16/admin/r...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Mar 9, 2026

Credit

Sagi Tzadik @ Wiz.io

CVE-2026-3854 Data

JSON

Github

What is CVE-2026-3854?

Affected Version(s)

References

CVSS V4

Timeline

Credit