Critical GitHub flaw lets a single 'git push' run code remotely on the server - patched, but most self-hosted GitHub Enterprise instances haven't updated yet (CVE-2026-3854)

Researchers disclosed CVE-2026-3854, a critical GitHub Enterprise Server flaw that lets anyone with push access execute arbitrary commands on the GitHub server with a single git push. The bug is in how Enterprise Server handles repository hooks during push operations - a crafted commit message or filename bypasses the sanitization that normally prevents shell injection. GitHub patched it last week, but self-hosted instances need to apply the patch manually, and telemetry shows most haven't yet. Anyone with developer-level access to a vulnerable Enterprise Server can take over the entire instance, then pivot into every repository and CI/CD secret it hosts.

Check

If you run a self-hosted GitHub Enterprise Server, apply the latest patch this week and review push activity from any low-privilege accounts since the patch was released.

Affected

Self-hosted GitHub Enterprise Server instances on versions before the April 2026 patch. The bug requires push access to any repository, which means every developer with commit rights is a potential entry point. CI/CD secrets, signing keys, and source code are exposed. GitHub.com (the SaaS product) is not affected.

Fix

Upgrade GitHub Enterprise Server to the patched release per GitHub's advisory. Until patched, restrict push access to trusted accounts and require code review on all pushes. Audit Enterprise Server logs for unusual git operations or shell processes spawning from the GitHub system user. Rotate any CI/CD secrets, signing keys, and webhook tokens stored on the server.