GitHub Patched Critical `git push` RCE Affecting Cloud and Enterprise Server
GitHub disclosed and patched CVE-2026-3854, a critical command-injection flaw in its git push pipeline that allowed an authenticated user with repository push access to trigger remote code execution using a single crafted push. Wiz reported the bug on March 4, and GitHub said it reproduced the issue within about 40 minutes and deployed a fix to GitHub.com within roughly two hours, later publishing patches for supported GitHub Enterprise Server releases including 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, and 3.19.3. The vulnerability stemmed from unsanitized user-supplied push option values being inserted into internal X-Stat headers, enabling attackers to inject trusted metadata, bypass sandboxing, and execute commands as the git service user.
Researchers said the flaw could have led to full server compromise on GitHub Enterprise Server and, on GitHub.com, code execution on shared storage infrastructure where millions of repositories were accessible to the git service account, creating potential cross-tenant exposure. GitHub said forensic analysis and telemetry found no evidence of malicious exploitation and no indication that customer data was accessed, modified, or exfiltrated, but urged Enterprise Server administrators to upgrade immediately and review logs for suspicious push activity. Wiz described the bug as easy to exploit and highlighted its use of AI-assisted reverse engineering tools, including IDA MCP, to uncover the issue in GitHub’s closed-source components.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Wiz publishes technical details for GitHub CVE-2026-3854
Wiz published its research on CVE-2026-3854, explaining how unsanitized git push options were copied into internal X-Stat headers and enabled remote code execution. The disclosure described impact on GitHub.com shared storage nodes and potential full compromise of GitHub Enterprise Server.
GitHub publicly discloses CVE-2026-3854 and releases GHES patches
GitHub publicly disclosed CVE-2026-3854, a critical git push pipeline command injection issue affecting GitHub.com and GitHub Enterprise Server. It released patched GHES versions across supported release lines and advised administrators to upgrade immediately.
ZDI publishes OpenAI Codex sandbox escape as a 0-day advisory
ZDI publicly disclosed the OpenAI Codex sandbox escape as advisory ZDI-26-305, describing insufficient isolation in the JavaScript execution environment. ZDI said OpenAI had reproduced the behavior but considered it out of scope for its bug bounty program and not part of Codex's default product surface.
Xen publishes XSA-489 covering five validated XAPI RBAC flaws
Xen.org released Xen Security Advisory 489 for five RBAC-related XAPI vulnerabilities: CVE-2026-23559, CVE-2026-23560, CVE-2026-23561, CVE-2026-23562, and CVE-2026-42486. The advisory said the XAPI team validated 5 real vulnerabilities out of the 89 public claims and recommended disabling lower-privileged RBAC roles until fixes are applied.
Researcher publicly discloses 89 XAPI vulnerabilities
A researcher published an independent audit disclosing 89 claimed exploitable vulnerabilities in XAPI used by Citrix XenServer/Hypervisor and XCP-ng. The disclosure said the issues stemmed from architectural failures in unvalidated Map(String,String) fields and included extensive proof-of-concept and detection materials.
GitHub reproduces and fixes GitHub.com CVE-2026-3854 within hours
After receiving Wiz's report, GitHub reproduced the issue within about 40 minutes, identified the root cause the same day, and deployed a fix to GitHub.com in under two hours. GitHub later said forensic analysis found no evidence of exploitation or customer data compromise.
Wiz reports critical GitHub git push RCE to GitHub
Wiz reported a command injection vulnerability later assigned CVE-2026-3854 to GitHub through the bug bounty program. The flaw allowed an authenticated user with push access to achieve remote code execution via crafted git push options.
ZDI reports OpenAI Codex sandbox escape to OpenAI
Trend Micro's Zero Day Initiative reported a Codex sandbox escape vulnerability, later tracked as ZDI-26-305 / ZDI-CAN-29475, to OpenAI. The flaw allowed code execution as the current user when processing a repository containing malicious JavaScript.
Citrix releases XenServer and Hypervisor fixes for September 2024 flaws
Citrix issued a September 2024 security update for XenServer 8 and Citrix Hypervisor 8.2 CU1 LTSR addressing CVE-2024-45817 and net-snmp flaws CVE-2022-24805 and CVE-2022-24809. Citrix recommended restricting management interface access and upgrading affected systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
16 references tracked. Mallory keeps watching after this page renders.
GitHub vulnerability CVE-2026-3854 allows code execution with a single git push | brief | SC Media
scworld.com
Open sourceCVE-2026-3854 RCE Flaw In GitHub Enterprise Server
thecyberexpress.com
Open sourceGitHub fixes RCE flaw that gave access to millions of private repos
bleepingcomputer.com
Open sourceWiz hands GitHub AI-aided bug report that isn't total slop
theregister.com
Open source89 vulnerabilities in XAPI (Citrix XenServer/Hypervisor) - 3x CVSS 9.9, 2x CVSS 9.1 : r/netsec
reddit.com
Open source89 vulnerabilities in XAPI / Citrix XenServer - independent security audit
shittrix.moksha.dk
Open sourceZDI-26-305 | Zero Day Initiative
zerodayinitiative.com
Open sourceCitrix Hypervisor vulnerabilities: How to find affected assets
runzero.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GitHub Enterprise Server patches critical SSRF and Dirty Frag privilege escalation flaws
GitHub released urgent security updates for GitHub Enterprise Server to fix multiple severe vulnerabilities affecting versions `3.16` through `3.20`, led by **CVE-2026-9312**, a critical pre-authentication SSRF flaw in an upload endpoint. The bug allowed unauthenticated attackers to craft requests with path traversal content and force the appliance to make internal HTTP requests, potentially exposing internal services, credentials, and configuration data. GitHub said the issue was reported through its bug bounty program and remediated in `3.16.20`, `3.17.17`, `3.18.11`, `3.19.8`, `3.20.4`, and `3.21.1`. The updates also address the high-severity Linux kernel local privilege-escalation flaws **CVE-2026-43284** and **CVE-2026-43500**, known as **Dirty Frag**, which could let a local user gain root on vulnerable appliances. Additional fixes and hardening cover a timing side-channel issue and another SSRF-related weakness tied to package and notebook-related functionality, including environments with GitHub Packages enabled or private mode disabled. GitHub revoked the signing key for GHES release packages and instructed administrators to rotate trusted local GPG public keys before installing the patched releases, urging rapid upgrades for internet-facing and shared multi-tenant deployments.
May 27, 2026
GitHub `Kernel#send()` Flaw Exposed Secrets and Enabled GHES RCE Path
A vulnerability tracked as **`CVE-2024-0200`** allowed attackers with organization owner privileges to abuse an unsafe Ruby `Kernel#send()` call in GitHub’s organization repository settings flow and invoke unintended zero-argument methods on `Repository` objects. Researchers showed the bug could be used to trigger `Repository::GitDependency#nw_fsck()` and leak roughly **2 MB of environment variables** from a production GitHub.com container, exposing access keys, secrets, and internal configuration because spawned git processes inherited the parent environment. The issue affected **GitHub.com** and **GitHub Enterprise Server (GHES)** instances with GitHub Actions enabled, but the impact was more severe on GHES. STAR Labs reported that leaked variables on GHES could include `ENTERPRISE_SESSION_SECRET` and other Marshal-related secrets, which could be chained with forged Rails session cookies and an unsafe `Marshal.load` path to achieve **remote code execution**. GitHub hotfixed GitHub.com on December 26, 2023, and later released a patch and advisory, while recommended mitigations included allowlisting the `rid_key` parameter, reducing environment variables passed to git processes, rotating exposed secrets, and monitoring `repository_items` requests for abnormal `rid_key` values.
Apr 19, 2026
Cordyceps GitHub Actions Flaw Enabled CI/CD Pipeline Hijacking
Researchers at Novee disclosed **Cordyceps**, a class of systemic software supply chain flaws in GitHub Actions workflows that can let attackers hijack build and release pipelines through insecure trust-boundary crossings in CI/CD YAML configurations. The attack chains combine issues such as command injection, broken authentication logic, artifact poisoning, and privilege escalation across multiple workflows rather than a single misconfiguration. Novee said exploitation may require only a pull request or even a pull request comment from a free GitHub account, allowing low-privilege or unauthenticated attackers to execute malicious code, steal credentials, and potentially gain control of code repositories and connected cloud environments. After scanning roughly **30,000** high-impact repositories, Novee flagged **654** projects and verified more than **300** as fully exploitable. Confirmed impact included repositories tied to **Microsoft, Google, Apache, Cloudflare,** and the **Python Software Foundation**, with examples including Azure Sentinel, Google `adk-samples`, Apache Doris, Black, and Cloudflare Workers tooling. The researchers said affected organizations have fixed the disclosed issues, but warned that AI coding agents are helping spread the same insecure CI/CD patterns across ecosystems including **npm, PyPI, crates,** and **Go**.
Jun 24, 2026