GitHub patched a flaw in March that let any developer take over millions of repos with a single 'git push' - 88% of self-hosted GitHub Enterprise Servers still haven't installed the fix (CVE-2026-3854)

Update on the GitHub flaw covered yesterday: Wiz, who found the bug, published its full disclosure showing 88% of self-hosted GitHub Enterprise Servers were still unpatched at public disclosure on April 28. The bug let any user with push access to one repository run code on the GitHub server itself with a single 'git push'. On GitHub.com, the same bug exposed millions of public and private repositories belonging to other users sharing the same storage node. GitHub.com was patched within 75 minutes, but Enterprise Server installs need patching manually. Wiz found the bug using AI-augmented reverse engineering on closed-source GitHub binaries.

Check

If you run a self-hosted GitHub Enterprise Server, check today whether you're on a patched version and upgrade if not.

Affected

Self-hosted GitHub Enterprise Server instances on versions before the March 2026 patches. CVSS 8.7. Wiz data shows 88% of GHES instances were unpatched at disclosure. The bug needs push access to any repository, including one the attacker creates themselves. GitHub.com and Enterprise Cloud variants are already patched.

Fix

Upgrade to GHES 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0, or later. Audit /var/log/github-audit.log for push operations with semicolons or unusual special characters in push option values - that's the exploit signature. Until patched, restrict push access and remove unnecessary repository creators.