GitHub RCE Vulnerability: CVE-2026-3854 Breakdown

· security devtools · Source ↗

TLDR

  • Wiz Research found CVE-2026-3854: a git push option semicolon injection into GitHub’s X-Stat header enabling authenticated RCE on GitHub.com and all unpatched GHES instances.

Key Takeaways

  • Any authenticated user can inject arbitrary X-Stat header fields by embedding semicolons in git push -o options; the header parser uses last-write-wins semantics, so injected fields silently override legitimate ones.
  • A three-step chain exploits rails_env (disables hook sandbox), custom_hooks_dir (redirects hook lookup base), and repo_pre_receive_hooks (path traversal to arbitrary binary) to achieve unsandboxed execution as the git service user.
  • GitHub.com required one additional injected field to enable the enterprise-mode code path; once injected, the full chain executed and landed on a shared storage node serving repositories across millions of tenants.
  • Wiz confirmed cross-tenant repository index exposure on GitHub.com via their own test accounts without reading other tenants’ content; the git user has broad filesystem access by design across all repos on a node.
  • GHES patch shipped March 10, 2026 (versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, 3.19.3); Wiz telemetry shows 88% of instances remain unpatched. Upgrade immediately.

Hacker News Comment Review

  • The dominant reaction was architectural disbelief: user-controlled push option strings and auth-service security fields were embedded in the same semicolon-delimited header with no input sanitization, a design commenters called a fundamental mistake regardless of how late it surfaced.
  • Wiz’s use of AI-augmented reverse engineering via IDA MCP to analyze closed-source GHES binaries attracted nearly as much discussion as the bug itself, with commenters framing it as evidence that LLMs now make previously impractical binary auditing viable at scale.
  • The 88% unpatched figure from Wiz’s own telemetry, combined with the patch being 7 weeks old at publication, alarmed on-prem operators; the gap between patch availability and deployment in critical infra was called out as the more systemic problem.

Notable Comments

  • @bananapub: Flags that the GHES 3.19.3 patch dropped March 10 – making the 88% unpatched stat a 7-week failure to apply a critical fix, not a fresh zero-day.
  • @baccatore: Pushes back on Wiz’s “BREAKING” and “millions of repositories” framing for a vulnerability they responsibly disclosed and that was never exploited in the wild.
  • @latchkey: “People keep wanting to replace GitHub, but with what?” – argues incumbent RCEs don’t strengthen the case for self-hosted alternatives with smaller security teams.

Original | Discuss on HN

Related coverage