๐Ÿ’ป AppSec

GitHub Enterprise Server CVE-2026-3854 โ€” Critical RCE via Single Git Push, No Authentication Required

CVE-2026-3854, a critical-severity remote code execution vulnerability in GitHub Enterprise Server, allows an attacker to execute arbitrary code on the server with a single specially crafted Git push, requiring no authentication. Any internet-exposed or internally-accessible GHES instance is vulnerable. GitHub has released hotfixes across all supported branches; apply immediately.

4 min read
#github-enterprise#cve-2026-3854#rce#git#devops-security#source-code-security#ci-cd

A critical remote code execution vulnerability in GitHub Enterprise Server allows an unauthenticated attacker to compromise the GHES appliance with a single malicious Git push โ€” no credentials, no existing repository access, and no interaction from a legitimate user required. CVE-2026-3854 affects all supported GHES versions prior to the hotfix releases published April 30, 2026. GitHub Enterprise Server hosts an organisationโ€™s entire source code estate, CI/CD pipeline configurations, deployment secrets, and developer access controls; its compromise represents a catastrophic supply chain risk.

The Vulnerability

CVE-2026-3854 is a pre-authentication remote code execution flaw in GHESโ€™s Git protocol handler. The vulnerability exists in how the server processes the object delta resolution during a Git pack-file receive operation โ€” the server-side processing of data transmitted during a git push. A crafted pack-file containing a malicious object delta sequence triggers a memory corruption condition in the Git protocol parsing layer. This corruption is exploitable to gain code execution in the context of the Git service process, which runs with elevated privileges on the GHES appliance.

The critical aspect of this vulnerability is the attack surface: the Git push endpoint is the primary interface of any Git server and must be accessible to every developer and CI system that interacts with the repository host. In most enterprise deployments, GHESโ€™s Git port is accessible from the entire corporate network and often from CI/CD systems in cloud environments. There is no authentication check before the vulnerable code path is reached โ€” the exploit fires during the unauthenticated phase of the push negotiation protocol.

Post-Exploitation Capability

Successful exploitation of CVE-2026-3854 gives the attacker code execution on the GHES appliance. From this position, an attacker can:

  • Access all repositories โ€” the entire source code estate of the organisation, including repositories with restrictive access controls; GHES stores repository data on the applianceโ€™s filesystem, accessible to the Git service process
  • Exfiltrate Actions secrets and environment variables โ€” GitHub Actions workflow secrets and organisation-level secrets stored in GHES are accessible from the applianceโ€™s credential store
  • Modify repository contents โ€” inject malicious code into any repository, alter CI/CD pipeline definitions to insert backdoored build steps, or modify deployment workflow configurations
  • Compromise connected infrastructure โ€” GHES integrates with identity providers, JIRA, Slack, and deployment targets; service account tokens and webhook secrets for these integrations are accessible from the appliance
  • Pivot to CI/CD runners โ€” self-hosted Actions runners registered with the GHES instance are orchestrated by the appliance; a compromised appliance can dispatch malicious jobs to all registered runners

Affected Versions and Fixes

GHES BranchVulnerableFixed Version
3.12.xYes3.12.8
3.13.xYes3.13.4
3.14.xYes3.14.2
3.15.xYes3.15.1

GHES versions prior to 3.12 have reached end of support and should be treated as permanently vulnerable.

  • Apply the hotfix immediately โ€” update to the fixed version for your GHES branch using the standard GHES update process (Management Console โ†’ Updates, or the ghe-upgrade CLI). The update requires a maintenance window but does not require a full appliance rebuild.
  • Restrict Git port access while patching โ€” if immediate patching is not possible, implement network ACLs to restrict SSH (port 22) and HTTPS (port 443) Git access to GHES to known developer and CI/CD IP ranges. This reduces but does not eliminate exposure.
  • Audit GHES access logs for anomalous push operations โ€” review Git operation logs (/var/log/github/gitauth.log) for push attempts from unexpected IP addresses, particularly to repositories those addresses do not normally access. Focus on the period prior to hotfix application.
  • Rotate all secrets stored in GHES โ€” if you cannot confirm the instance was not accessed by an unauthorised party in the past 48 hours, rotate: Actions workflow secrets, organisation secrets, repository deploy keys, webhook secrets, and the GHES management console password.
  • Verify repository integrity โ€” for critical repositories, review recent commits and CI/CD configuration changes to identify any unauthorised modifications. Pay particular attention to workflow files (.github/workflows/), Dockerfile and dependency manifest changes, and any new repository collaborators or deploy keys added.

Share this article