Remote Code Execution Vulnerability in GitHub Enterprise Server

CVE-2026-3854

What is CVE-2026-3854?

An improper neutralization of special elements vulnerability has been identified in GitHub Enterprise Server, which allows an attacker with push access to a repository to execute arbitrary code. During a 'git push' operation, user-supplied push option values were not adequately sanitized before being incorporated into internal service headers. Since the format of the internal headers utilized a delimiter character that could appear within user input, attackers could inject additional metadata fields leveraging crafted push option values, potentially affecting the security of the instance. This vulnerability was disclosed via the GitHub Bug Bounty program and has been remediated in specified versions of GitHub Enterprise Server.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References