Critical GitHub.com and Enterprise Server RCE Vulnerability Enables Full Server Compromise

HomeCyber Security Critical GitHub.com and Enterprise Server RCE Vulnerability Enables Full Server Compromise By Guru Baran April 28, 2026 A critical remote code execution (RCE) vulnerability tracked as CVE-2026-3854 in GitHub’s internal git infrastructure that could have allowed any authenticated user to compromise backend servers, access millions of private repositories, and, in the case of GitHub Enterprise Server (GHES), achieve full server takeover. Discovered by Wiz researchers through AI-augmented reverse engineering of closed-source compiled binaries, CVE-2026-3854 stems from an improper neutralization of special elements (CWE-77) in how GitHub’s internal babeld git proxy handled user-supplied push option values. When a user executes git push -o, arbitrary option strings are passed to the server. The vulnerability arises because babeld copied these values verbatim into a semicolon-delimited internal X-Stat header without sanitizing the semicolon character the same character used as a field delimiter. Because the downstream service gitrpcd parsed the X-Stat header using last-write-wins semantics, an attacker could inject new key-value fields simply by embedding a semicolon followed by a field name and value inside a push option. Security-critical fields including rails_env, custom_hooks_dir, and repo_pre_receive_hooks were all overridable through this single injection vector. The escalation to RCE required chaining three injected fields together: Bypass the sandbox — Injecting a non-production rails_env value switched the pre-receive hook binary from its sandboxed execution path to an unsandboxed, direct-execution path Redirect the hook directory — Overriding custom_hooks_dir redirected where the binary searched for hook scripts Path traversal to arbitrary execution — Injecting a crafted repo_pre_receive_hooks entry with a path traversal payload caused the binary to resolve and directly execute an arbitrary filesystem binary as the git service user The entire exploit required no privilege escalation, no special tooling, and no zero-day dependencies — just a standard git client. On GitHub Enterprise Server, exploitation granted full server compromise, including read/write access to all hosted repositories and internal secrets. On GitHub.com, Wiz initially found that the custom hooks code path was inactive by default, but discovered a boolean enterprise_mode flag in the X-Stat header was equally injectable, enabling the full chain on GitHub.com’s shared infrastructure as well. Upon achieving RCE on GitHub.com’s shared storage nodes, Wiz confirmed that the git The service user had filesystem access to millions of repositories belonging to other users and organizations on those nodes. The Wiz researchers did not access third-party content, using only their own test accounts to validate the cross-tenant exposure. Notably, this marks one of the first critical vulnerabilities in closed-source binaries to be uncovered using AI tooling at scale. Wiz leveraged IDA MCP for automated reverse engineering, enabling rapid reconstruction of GitHub’s internal protocols across compiled binaries, an analysis that would have been prohibitively time-consuming manually. This signals a meaningful shift in the methodology for vulnerability research in opaque, multi-service architectures. GitHub received the report on March 4, 2026, validated it within hours, and deployed a fix to GitHub.com by 7:00 p.m. UTC the same day, roughly within the 6-hour response window. GitHub’s forensic investigation confirmed no exploitation occurred prior to disclosure. For GitHub Enterprise Server, patches are available, and GHES administrators must act immediately: Component Vulnerable Versions Fixed Version GitHub Enterprise Server ≤ 3.19.1 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4+ At the time of disclosure, Wiz data indicated 88% of GHES instances remained unpatched. GitHub Enterprise Cloud and GitHub.com users require no action. GHES administrators should also audit /var/log/github-audit.log for push operations containing unusual special characters in push option values as indicators of prior exploitation attempts. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Critical Gemini CLI Vulnerability Enables Remote Code Execution Attacks New Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions Massive SIM Farm-as-a-Service Network Exposes 87 Control Panels Across 17 Countries Hackers Use Lotus Wiper to Destroy Drives and Delete Files in Energy Sector Attack Hackers Abuse SS7 and Diameter Protocols to Track Mobile Users Worldwide Latest News Cyber Security News Checkmarx Confirms GitHub Repository Data Published on Dark Web Cyber Security News Critical LiteLLM SQL Injection Vulnerability Exploited in the Wild Cyber Security News Chinese Silk Typhoon Hacker Extradited to the U.S. from Italy cloud WhatsApp Testing Own Cloud Backup Provider for Default End-to-End Encryption Cyber Security News New Windows 0-Click Vulnerability Exploited to Bypass Defender SmartScreen