GitHub has detailed a critical remote code execution vulnerability—**CVE-2026-3854**—that could be triggered with a single maliciously crafted `git push`, potentially granting full read/write access to private repositories. The issue was reported on March 4, 2026 via GitHub’s bug bounty program and was rapidly reproduced and fixed on GitHub.com, according to the company.

### What the bug was

The vulnerability stemmed from how GitHub handled user-supplied options during `git push` operations. User-provided values could be incorporated into internal metadata without sufficient sanitization, enabling injection of additional fields that downstream services trusted. By chaining injected values, an attacker could bypass sandboxing and achieve code execution on servers handling the push.

### Impact

Researchers state that affected nodes on GitHub.com could have allowed access to millions of public and private repositories, and on GitHub Enterprise Server the same class of bug could lead to full server compromise (including access to all hosted repos and secrets).

### What to do

GitHub says it found no evidence of exploitation prior to disclosure and that anomalous telemetry was attributable to researcher testing. However, **GitHub Enterprise Server (GHES)** administrators should **upgrade immediately** to patched versions across supported releases (including 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0, or later).