GitHub fixes RCE flaw that gave access to millions of private repos
BleepingComputer • • technology
Key Points:
- In early March 2026, GitHub patched a critical remote code execution vulnerability (CVE-2026-3854) that could have allowed attackers to access millions of private repositories across GitHub.com and GitHub Enterprise servers.
- The flaw was reported by cybersecurity firm Wiz on March 4, 2026, and GitHub deployed a fix within two hours after confirming the issue, demonstrating rapid incident response.
- The vulnerability stemmed from improper sanitization of user-supplied options during 'git push' operations, enabling attackers with push access to execute arbitrary code and gain full read/write access to private repositories.
- Although the flaw was severe, forensic investigations found no evidence of exploitation before the patch, and GitHub confirmed no customer data was accessed or compromised prior to remediation.
- GitHub urges all GitHub Enterprise Server administrators to upgrade immediately, as about 88% of reachable instances remain vulnerable despite the patch being available across multiple supported releases.
