How GitHub Contained a Critical RCE Threat in the Git Push Flow

<h2 id="introduction">Introduction</h2><p>On March 4, 2026, GitHub’s Bug Bounty program received a report from security researchers at <strong>Wiz</strong> describing a critical remote code execution vulnerability. The flaw affected multiple GitHub offerings: github.com, GitHub Enterprise Cloud (including versions with Data Residency and Enterprise Managed Users), and GitHub Enterprise Server. Within just a few hours, the GitHub security team validated the finding, deployed a fix to github.com, and conducted a thorough forensic investigation — concluding that no exploitation had occurred. This article details the incident, the swift response, and the measures being taken to prevent similar vulnerabilities in the future.</p><figure style="margin:20px 0"><img src="https://github.blog/wp-content/uploads/2024/06/AI-DarkMode-4.png?resize=800%2C425" alt="How GitHub Contained a Critical RCE Threat in the Git Push Flow" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: github.blog</figcaption></figure><h2 id="receiving">Receiving the Bug Bounty Report</h2><p>The researchers demonstrated that any user with push access to a repository — even one they created themselves — could achieve arbitrary command execution on the GitHub server processing their <code>git push</code>. The attack required only a single command: <code>git push</code> with a specially crafted push option that contained an unsanitized character.</p><p>GitHub’s security team immediately began validating the report. Within <strong>40 minutes</strong>, the vulnerability was reproduced internally and its severity confirmed as critical, prompting immediate action.</p><h2 id="understanding">Understanding the Vulnerability</h2><p>When a user pushes code to GitHub, the operation passes through multiple internal services. Metadata about the push — such as the repository type and processing environment — is shared between services using an internal protocol.</p><p>The vulnerability stemmed from how user-supplied <strong>git push options</strong> were handled within this metadata. Git push options are a legitimate feature that allow clients to send key-value strings to the server during a push. However, the values provided by the user were incorporated into the internal metadata without adequate sanitization. Because the internal metadata format used a delimiter character that could also appear in user input, an attacker could inject additional fields that a downstream service would interpret as trusted internal values.</p><p>By chaining several injected values, the researchers showed that an attacker could:</p><ul><li>Override the environment in which the push was processed</li><li>Bypass sandboxing protections that normally constrain hook execution</li><li>Execute arbitrary commands on the server</li></ul><h2 id="response">Responding to the Vulnerability</h2><p>With the root cause identified on March 4, 2026, at <strong>5:45 p.m. UTC</strong>, GitHub’s engineering team developed and deployed a fix to <strong>github.com</strong> by <strong>7:00 p.m. UTC</strong> — less than two hours later. The fix ensures that user-supplied push option values are properly sanitized and can no longer influence internal metadata fields.</p><figure style="margin:20px 0"><img src="https://github.blog/wp-content/uploads/2024/05/Enterprise-DarkMode-3.png?resize=800%2C425" alt="How GitHub Contained a Critical RCE Threat in the Git Push Flow" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: github.blog</figcaption></figure><p>For GitHub Enterprise Server, patches were prepared across all supported releases:</p><ul><li><strong>3.14.25</strong></li><li><strong>3.15.20</strong></li><li><strong>3.16.16</strong></li><li><strong>3.17.13</strong></li><li><strong>3.18.7</strong></li><li><strong>3.19.4</strong></li><li><strong>3.20.0</strong> or later</li></ul><p>The vulnerability was published as <strong>CVE-2026-3854</strong>. GitHub strongly recommends that all GHES customers upgrade to the patched versions immediately.</p><h2 id="lessons">Lessons Learned and Next Steps</h2><p>This incident highlights the importance of rigorous input validation when handling user-supplied data that passes through internal systems. GitHub is committed to continuous improvement in several areas:</p><ul><li><strong>Increasing fuzzing and automated testing</strong> of internal metadata handling code</li><li><strong>Enhancing the review process</strong> for how user inputs interact with trusted internal protocols</li><li><strong>Strengthening sandbox configurations</strong> to provide deeper defense-in-depth</li></ul><p>The rapid response — from validation to fix in under two hours — was made possible by a well-coordinated cross-team effort and the proactive reporting from the security research community via the Bug Bounty program. GitHub thanks Wiz for their responsible disclosure and collaboration.</p><p>For more details, consult the official advisory or the GHES release notes. Stay secure.</p>