Researchers at cloud security large Wiz found a vital distant code execution vulnerability in GitHub that uncovered tens of millions of repositories.
The vulnerability, tracked as CVE-2026-3854, affected the code-hosting platform’s inside Git infrastructure. It impacted each GitHub Enterprise Server and GitHub.com.
“By exploiting an injection flaw in GitHub’s inside protocol, any authenticated person might execute arbitrary instructions on GitHub’s backend servers with a single git push command – utilizing nothing however an ordinary git consumer,” Wiz defined.
In keeping with the security agency, which found the difficulty utilizing AI, exploitation is straightforward.
Within the case of GitHub Enterprise Server, an attacker can exploit the vulnerability to completely compromise the server and acquire entry to all repositories and inside secrets and techniques.
The affect was even larger on GitHub.com, the place CVE-2026-3854 might have been exploited for distant code execution on shared storage nodes.
“On GitHub.com, this vulnerability allowed distant code execution on shared storage nodes. We confirmed that tens of millions of private and non-private repositories belonging to different customers and organizations had been accessible on the affected nodes,” Wiz stated.
Whereas the authentication requirement could seem to mitigate the danger, GitHub defined that any person with push entry to a repository, together with one they created, might exploit the vulnerability to execute arbitrary instructions on the server.
GitHub rapidly addressed the vulnerability. The corporate has performed a forensic investigation and decided that it has not been exploited within the wild.
Along with GitHub.com and GitHub Enterprise Server, the security gap affected GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, and GitHub Enterprise Cloud with Enterprise Managed Customers.
The vulnerability was reported to GitHub on March 4, and a repair was deployed to GitHub.com on the identical day.
A patch for Enterprise Server was made out there on March 10. Nevertheless, Wiz reported on Tuesday that 88% of Enterprise Server situations had not but been up to date to a patched model.
The technical particulars of CVE-2026-3854 have been disclosed by Wiz, and GitHub has described the actions it has taken and its course of for dealing with such vulnerabilities.
