Introduction
On March 4, 2026, GitHub's Bug Bounty program received a report from security researchers at Wiz detailing a critical remote code execution vulnerability. The flaw affected github.com, GitHub Enterprise Cloud (with Data Residency and Enterprise Managed Users), and GitHub Enterprise Server. Within two hours, our team validated the finding, deployed a fix to github.com, and completed a forensic investigation that confirmed no exploitation had occurred. This article explains the vulnerability, our response, and the measures we've taken to prevent similar issues.
Timeline of Events
The report arrived at 5:45 p.m. UTC on March 4. Our security team immediately began validation, reproducing the vulnerability internally within 40 minutes. By 7:00 p.m. UTC that same day, a fix was deployed to github.com. For GitHub Enterprise Server, we prepared patches across all supported releases—3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0, or later—and issued CVE-2026-3854. We strongly recommend all GHES customers upgrade promptly.
Understanding the Vulnerability
The attack vector was deceptively simple: any user with push access (including to their own repositories) could execute arbitrary commands on the GitHub server handling their git push. A single command—git push with a crafted push option containing an unsanitized character—was all that was needed.
How Push Options Are Processed
When a developer pushes code, the operation passes through multiple internal services. Metadata about the push—such as repository type and environment—is exchanged using an internal protocol. Git push options, a legitimate feature allowing clients to send key-value strings, were incorporated into this metadata without proper sanitization. The internal metadata format relied on a delimiter character that could also appear in user input. This meant an attacker could inject additional fields, which downstream services would treat as trusted internal values.
Chaining Injections to Bypass Protections
By combining several injected values, researchers demonstrated that an attacker could override the processing environment, bypass sandboxing constraints on hook execution, and ultimately run arbitrary commands on the server. The vulnerability was critical because it required no special privileges beyond push access.
Our Response and Fix
Once the root cause was identified, our engineering team developed a fix that ensures user-supplied push option values are properly sanitized and can no longer influence internal metadata fields. The rapid deployment—within just over an hour of confirmation—minimized risk. A forensic investigation found no evidence of exploitation in the wild. For GitHub Enterprise Server, patches are available today; we urge administrators to apply them immediately.
Preventing Future Vulnerabilities
This incident prompted a review of how we handle user input in internal metadata across our infrastructure. Key measures include:
- Enhanced input validation and sanitization for all user-supplied values that enter internal protocols.
- Additional fuzzing and security testing focusing on boundary cases in push processing.
- Improved logging and monitoring to detect similar injection attempts.
Our Bug Bounty program remains a critical part of our defense. We thank Wiz researchers for their responsible disclosure. For more details on our security practices, see the timeline above or the vulnerability analysis.
Conclusion
The combination of a rapid response, a straightforward fix, and no evidence of exploitation made this a successful security incident response. GitHub customers—whether on github.com or GitHub Enterprise Server—can remain confident that we take such reports seriously and act promptly.