CVE-2026-3854: Critical RCE Vulnerability in GitHub Enterprise Server Allows Code Execution via Git Push
Security researchers at Wiz Research have disclosed a critical remote code execution vulnerability affecting GitHub's internal Git infrastructure. The flaw, tracked as CVE-2026-3854 with a CVSS 4.0 score of 8.7 (HIGH), stems from a push option injection weakness in GitHub's internal git push pipeline involving the babeld, gitrpcd, and pre-receive hook components. The vulnerability grants any authenticated user with push access to any repository the ability to execute arbitrary commands on GitHub's backend infrastructure using a standard git client with a single git push command.
The vulnerability was discovered through AI-augmented reverse engineering using IDA MCP, a technique that enabled researchers to identify the injection point in GitHub's internal processing chain. Affecting GitHub Enterprise Server versions 3.19.3 and earlier, the flaw represented a severe risk to organizations running affected deployments. However, GitHub.com was remediated within six hours of the initial report, significantly limiting exposure for the public-facing service. The speed of the response underscores the critical nature of the vulnerability and the potential for widespread compromise had it been exploited in the wild before disclosure.
The discovery highlights ongoing security challenges in complex Git infrastructure, particularly in systems handling authenticated push operations across large-scale deployments. Organizations running GitHub Enterprise Server on affected versions are urged to verify they have applied the latest patches. The vulnerability's reliance on standard Git protocols and authenticated push access makes it particularly concerning for enterprise environments where numerous users maintain repository access. Wiz Research's methodology, combining AI-assisted reverse engineering with traditional security analysis, represents an evolving approach to identifying subtle injection flaws in widely-deployed infrastructure software.