88% of self-hosted GitHub servers exposed to RCE, researchers warn (CVE-2026-3854)
When researchers at Wiz reported an easily exploitable GitHub remote code execution flaw (CVE-2026-3854) on March 4, the company confirmed it within 40 minutes and pushed a fix to GitHub.com in under two hours.
But for too many of the thousands of organizations running GitHub Enterprise Server on their own infrastructure, the vulnerability still represents a risk.
“Our data indicates that 88% of instances are still vulnerable,” Wiz noted on Tuesday.
CVE-2026-3854
Wiz researchers discovered CVE-2026-3854 in GitHub Enterprise Server, a self-hosted version of GitHub that’s meant for organizations that need to run the platform on their own infrastructure (e.g., organizations in regulated industries).
They found that, with a single git push command, this vulnerability can be exploited by authenticated users to execute arbitrary commands on GitHub’s backend servers.
Wiz’s technical run-down offers more specific insight on how the vulnerability can be leveraged, but the gist for users is this: on GitHub.com, it allowed remote code execution on shared storage nodes, and on GitHub Enterprise Server, it grants full server compromise, which means access to all hosted repositories and internal secrets.
A single git push compromises GitHub’s internal infrastructure (Source: Wiz)
“We confirmed that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes,” the researchers explained.
Following Wiz’s report, GitHub checked for evidence of execution of an anomalous code path that would point to attackers’ having exploited this vulnerability, but found none.
“Every occurrence mapped to the Wiz researchers’ own testing activity,” GitHub CISO Alexis Wales shared, and asserted that “no customer data was accessed, modified, or exfiltrated as a result of this vulnerability.”
Patches are ready
CVE-2026-3854 was quickly fixed in GitHub’s cloud offerings: GitHub Enterprise Cloud, GitHub Enterprise Cloud with Enterprise Managed Users, GitHub Enterprise Cloud with Data Residency, and github.com.
The company also developed fixes for supported GitHub Enterprise Server versions – from v3.14 to 3.20.
“We strongly recommend upgrading to the latest patch release as soon as possible,” the company urged, and advised organizations using the on-prem solution to review the audit log (/var/log/github-audit.log) for push operations containing ; in push options, which would point to exploitation.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!