Cybersecurity

Critical GitHub RCE Exposed Millions; 88% Enterprise Servers Unpatched

By Sentinel News Editorial Team

April 29, 2026 Source: Securityweek 6 views

A critical remote code execution (RCE) vulnerability in GitHub's internal Git infrastructure exposed millions of repositories, allowing authenticated users to execute arbitrary commands. Despite a swift patch for GitHub.com, new reports indicate a staggering 88% of GitHub Enterprise Server instances remain unpatched. This flaw, discovered by Wiz, impacted both public and private repos across GitHub.com and Enterprise Server deployments.

Critical RCE (CVE-2026-3854) in GitHub's internal Git infrastructure exposed millions of public and private repositories.
Exploitable via a simple `git push` command by any authenticated user with push access, allowing arbitrary command execution.
A staggering 88% of GitHub Enterprise Server instances remain unpatched for the vulnerability, despite a fix released in March.

Intelligence briefing: Why this matters: For defense and critical infrastructure, unpatched GitHub Enterprise Servers represent a severe supply chain risk, potentially leading to full compromise of sensitive codebases and intellectual property.

Researchers at cloud security giant Wiz discovered a critical remote code execution vulnerability in GitHub that exposed millions of repositories.

The vulnerability, tracked as CVE-2026-3854, affected the code-hosting platform’s internal Git infrastructure. It impacted both GitHub Enterprise Server and GitHub.com.

“By exploiting an injection flaw in GitHub’s internal protocol, any authenticated user could execute arbitrary commands on GitHub’s backend servers with a single git push command – using nothing but a standard git client,” Wiz explained.

According to the security firm, which discovered the issue using AI, exploitation is easy.

In the case of GitHub Enterprise Server, an attacker can exploit the vulnerability to fully compromise the server and gain access to all repositories and internal secrets.

The impact was even greater on GitHub.com, where CVE-2026-3854 could have been exploited for remote code execution on shared storage nodes.

“On GitHub.com, this vulnerability allowed remote code execution on shared storage nodes. We confirmed that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes,” Wiz said.

While the authentication requirement may appear to mitigate the risk, GitHub explained that any user with push access to a repository, including one they created, could exploit the vulnerability to execute arbitrary commands on the server.

GitHub quickly addressed the vulnerability. The company has conducted a forensic investigation and determined that it has not been exploited in the wild.

In addition to GitHub.com and GitHub Enterprise Server, the security hole affected GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, and GitHub Enterprise Cloud with Enterprise Managed Users.

The vulnerability was reported to GitHub on March 4, and a fix was deployed to GitHub.com on the same day.

A patch for Enterprise Server was made available on March 10. However, Wiz reported on Tuesday that 88% of Enterprise Server instances had not yet been updated to a patched version.

The technical details of CVE-2026-3854 have been disclosed by Wiz, and GitHub has described the actions it has taken and its process for handling such vulnerabilities.

Related: Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments

Related: Critical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise

Analysis

The persistent high rate of unpatched GitHub Enterprise Server instances highlights a critical operational security challenge within organizations, even for vulnerabilities of this severity. Given GitHub's integral role in software development for both commercial and government sectors, this RCE presents a significant attack vector for nation-state actors targeting sensitive projects. This incident underscores the urgent need for robust patch management and continuous monitoring, especially for platforms that form the bedrock of digital supply chains.

githubvulnerabilityrcecybersecuritysupply chainenterprise securitypatch management

Original reporting: https://www.securityweek.com/critical-github-vulnerability-exposed-millions-of-repositories/