Wiz Research discovered CVE-2026-3854 a critical RCE vulnerability in GitHub internal Git infrastructure that could allow any authenticated user to execute arbitrary code on GitHub backend servers with just a single git push command. The data of millions of private repositories was at risk and the flaw was first discovered using AI-augmented reverse engineering.
GitHub is the world largest code hosting platform, with over 150 million developers, over 420 million repositories and the billions of lines of production code flowing through it daily. When someone hacks GitHub, its not just a breach of one company its a breach of the entire global software supply chain.
And that exactly what happened on March 4, 2026. Wiz Research discovered a critical remote code execution vulnerability CVE-2026-3854 in GitHub internal git infrastructure which allowed any authenticated user to execute arbitrary commands on backend servers with just a single git push command, using a standard git client without any special tools.
GitHub received the report on March 4, 2026 validated it in less than two hours, and deployed the fix to GitHub.com at 7:00 p.m. UTC that same day. A forensic investigation confirmed that no one had exploited the vulnerability before it was reported.
This vulnerability was hidden in a place few people think about GitHub internal built-in git proxy. When a user executes the git push -o command arbitrary option strings are sent to the server.
The vulnerability arose because babeld copied these values verbatim directly into a semicolon-delimited internal X-Stat header without sanitizing the semicolon character which is the same character used as a field delimiter. An attacker could manipulate internal metadata fields by injecting a semicolon into a crafted push option and this would be passed to the RCE.
Wiz bug bounty report clearly demonstrated that any user with push access to any repository even one they created could achieve arbitrary command execution on GitHubs servers.
Millions of Private Repositories on a Compromised Node
GitHub.com is a multi-tenant platform where repositories from millions of different organizations and users are stored on a shared backend infrastructure. When Wiz researchers achieved code execution on GitHub.com they landed on a shared storage node as a git user. The git user exists for a specific reason it serves all repository operations on that node and by design has broad filesystem access to every repository hosted on that node.
Compromising this user meant that any repository belonging to any organization or user on that node was accessible even if it was private. Wiz researchers enumerate repository index entries from the two compromised nodes and found millions of entries on each node belonging to other users and organizations. The researchers did not access third-party content, only validated cross-tenant exposure using their own test accounts.
This flaw was even more devastating on GitHub Enterprise Server GHES is a self-hosted deployment, so RCE meant a complete server takeover and putting the organizations entire GHES instance and all repositories secrets and configuration in the hands of the attacker.
Even after the GHES patch was released a concerning statistic surfaced on Hacker News 88% of on-premises GHES customers had still not applied the critical security fix after seven weeks. This is an alarming reality of enterprise patching.
Another dimension of this research that is equally significant for the cybersecurity community is that it was the first time a critical vulnerability in closed-source compiled binaries was discovered with the help of AI tooling.
Wiz used IDA MCP an AI-augmented reverse engineering tool that can rapidly analyze compiled binaries and reconstruct internal protocols and analysis that would have been prohibitively time-consuming to perform manually. This is a meaningful shift in vulnerability research methodology opaque multi-service architectures that were previously practically unauditable can now be inspected with the help of AI.
GitHub.com, GitHub Enterprise Cloud GitHub Enterprise Cloud with Enterprise Managed Users GitHub Enterprise Cloud with Data Residency are all patched as of March 4, 2026, and these users do not need to take any action. Patches for GHES are available for supported releases 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4 and 3.20.0
And GitHub strongly recommends that all GHES customers immediately upgrade to the latest patch release. Organizations should review push operations in /var/log/github-audit.log for semicolons in push options this could be an indicator of a potential exploitation attempt. The core of the fix is that user supplied push option values are now properly sanitized and cannot influence internal metadata fields.
