GitHub Rushes to Patch Critical Remote Code Execution Bug in Git Push Pipeline

Critical RCE Vulnerability in GitHub’s Git Push Pipeline Patched in Under Two Hours

On March 4, 2026, GitHub addressed a critical remote code execution (RCE) vulnerability affecting its core git push operations. The flaw, reported through the company’s Bug Bounty program by researchers at Wiz, could have allowed any user with push access to a repository to execute arbitrary commands on GitHub’s servers.

GitHub confirmed that the vulnerability impacted its cloud platform (github.com), GitHub Enterprise Cloud (GHEC), GHEC with Data Residency, GHEC with Enterprise Managed Users, and GitHub Enterprise Server (GHES). A forensic investigation has concluded with no evidence of exploitation.

Swift Response and Timeline

GitHub’s security team received the vulnerability report on March 4, 2026. Within 40 minutes, they reproduced the issue internally and classified it as critical. By 7:00 p.m. UTC the same day—just over an hour later—a fix was deployed to github.com.

“Our team mobilized immediately to validate, patch, and investigate this issue,” said a GitHub spokesperson. “We are grateful to the Wiz researchers for their responsible disclosure through our Bug Bounty program.”

How the Vulnerability Worked

The attack required only a single command: git push with a crafted push option containing an unsanitized character. Push options are a legitimate Git feature that allow clients to send key-value strings to the server during a push.

However, GitHub’s internal metadata processing did not properly sanitize these user-supplied values. The metadata format used a delimiter that could match characters in user input, enabling an attacker to inject additional fields. Downstream services then interpreted these injected fields as trusted internal values, bypassing sandboxing protections and allowing arbitrary command execution on the server handling the push.

Patches and Recommendations

For GitHub Enterprise Server, patches are available for all supported releases: 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0, or later. The vulnerability is tracked as CVE-2026-3854.

“We strongly recommend that all GHES customers upgrade immediately,” the spokesperson added. Cloud customers (github.com and GHEC) are automatically protected and require no action.

Background

The git push pipeline is a critical part of GitHub’s infrastructure, processing millions of pushes daily. When a user pushes code, metadata about the operation is passed between internal services using a proprietary protocol. This metadata includes fields like repository type and execution environment.

Push options, introduced in Git 2.10, are designed to pass additional context to server-side hooks. In this case, the lack of sanitization allowed an attacker to override the processing environment, escape the sandbox, and run arbitrary commands. The vulnerability affected not just custom hooks but core server operations.

What This Means

For GitHub’s cloud users, the immediate risk is neutralized—the fix is already live. However, the incident underscores the complexity of securing deeply integrated features like push options. Enterprises running GitHub Enterprise Server must apply patches urgently to remain protected.

“This vulnerability highlights the importance of rigorous input validation in internal protocols,” said a security researcher familiar with the analysis. “GitHub’s response time—under two hours from report to fix—sets a benchmark for incident response in the industry.”

Organizations should review their bug bounty programs and ensure they have rapid response plans for critical vulnerabilities. Going forward, GitHub has committed to enhancing sanitization checks across all metadata handling layers to prevent similar injection attacks.