A critical vulnerability (CVE-2026-3854, CVSS 8.7) was disclosed affecting GitHub Enterprise Server and GitHub.com, allowing attackers to execute arbitrary commands on backend servers via a single git push command. Due to the potential for full server compromise, including access to all hosted repositories and internal secrets, immediate patching is required.

The following components are affected: 

  • GitHub Enterprise Server versions 3.19.1 and below. Fixed versions are 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, and 3.19.3. 

GitHub.com was also affected but was mitigated within 6 hours of the initial report. On GitHub.com, the same flaw enabled code execution on shared storage nodes where millions of public and private repositories belonging to other users and organizations were accessible.

Users should upgrade to GHES version 3.19.3 or the patched release for their respective version branch immediately. At the time of writing, approximately 88% of GitHub Enterprise Server instances are still vulnerable. The severity, ease of exploitation, and the fact that only a standard git client is needed make this vulnerability extremely high risk, especially for internet-facing GHES deployments.

About the vulnerability: CVE-2026-3854

The issue originates from GitHub’s internal git infrastructure, where user-controlled input passed through git push options is embedded into an internal protocol header without proper sanitization. Because the delimiter character is not escaped, an attacker can inject arbitrary fields into the internal request, overriding security-critical settings. Due to last-write-wins parsing semantics, injected values silently replace legitimate ones.

By chaining multiple injected fields, an attacker can disable the execution sandbox, redirect the hook script lookup directory, and trigger execution of an arbitrary binary on the server. The result is full remote code execution as the git service user. Any authenticated GitHub user with push access to any repository can exploit this using nothing but a standard git client.

Successful exploitation could allow attackers to execute arbitrary commands on backend infrastructure, read all repositories hosted on the compromised node regardless of ownership, and access internal secrets and service configurations, leading to full infrastructure compromise and cross-tenant data exposure.

How can Orca help?

Orca enables customers to quickly identify assets running vulnerable GitHub Enterprise Server versions, understand their exposure in context including internet accessibility, runtime reachability, and asset criticality, and prioritize remediation based on real risk rather than CVSS alone. Orca’s platform highlights affected assets directly in the alert view, helping security teams focus on the most critical remediation paths first.