Critical GitHub RCE: A Single Git Push Can Trigger Remote Code Execution

Vulnerability CVE-2026-3854, discovered by Wiz Research and disclosed on April 28, 2026, with a CVSS score of 8.7, allows an authenticated user with push permissions to achieve remote code execution on the backend servers of GitHub.com and GitHub Enterprise Server (GHES). The exploit relies on a crafted git push that targets internal parsing of the X-Stat header. While GitHub.com was secured within two hours on March 4, approximately 88% of self-hosted instances were still vulnerable at the time of public disclosure. Organizations running unpatched servers face a significant risk of total system compromise.

The X-Stat Injection: Turning Metadata into Arbitrary Code

The flaw resides in how metadata is passed between internal GitHub services. When a user executes a git push with custom options, the data is encapsulated in an internal X-Stat header that travels from the babeld service to gitrpcd. The vulnerability stems from a failure to sanitize the ; delimiter: an attacker can inject new fields into a single push option, leveraging the parser's "last-write-wins" semantics to overwrite legitimate values.

Push options are a standard git protocol extension allowing optional parameters to be sent to the server. Under normal conditions, this metadata guides the behavior of server-side hooks without altering the execution environment. However, the lack of escaping for the ; character in the X-Stat header allowed attackers to redefine that environment, violating the trust boundary between services that should operate in separate privilege contexts.

Wiz researchers confirmed the vulnerability by analyzing babeld binaries and pre-receive hooks, and by capturing network traffic on a live GitHub Enterprise Server instance. In a laboratory setting, a push option containing the ; delimiter generated X-Stat fields unexpected by the normal flow, proving that the internal protocol interprets user input as service configuration.

Sandbox Escape: The Triple-Injection Chain on GHES

On GitHub Enterprise Server, this vulnerability facilitates a complete escalation path. An attacker must concatenate three consecutive injections within the X-Stat stream: first, overwriting rails_env; second, redirecting custom_hooks_dir to a controlled directory; and finally, manipulating repo_pre_receive_hooks. This sequence successfully bypasses the sandboxing protections that typically isolate the execution of pre-receive hooks.

The result is arbitrary code execution with git user privileges on the backend server. Researchers documented that this level of access grants full control over the instance, including filesystem read/write capabilities and visibility into internal service configurations. It is currently unknown if identical techniques could be applied to GitHub.com, where the multi-tenant architecture presents a different attack surface.

Alexis Wales, GitHub's CISO, confirmed that by concatenating several injected values, the researchers were able to overwrite the processing environment, bypass sandboxing, and achieve arbitrary command execution on the server.

"With unsandboxed code execution as the git user, we had full control over the GHES instance, including filesystem read/write access and visibility into internal service configuration" — Sagi Tzadik, Wiz security researcher

Multi-Tenant Risks: Protecting Millions of Repositories on GitHub.com

The same class of vulnerability affected GitHub.com, where the platform manages multi-tenant repositories on shared storage nodes. Wiz researchers verified that a successful exploit on the cloud infrastructure could potentially allow access to millions of public and private repositories belonging to other users and organizations from the compromised node. The vendor patched the service on March 4, 2026, within two hours of receiving the report; internal timelines suggest the fix was deployed approximately 75 minutes after validation.

GitHub stated that telemetry monitoring the anomalous code path—which is never triggered under normal operations—mapped every occurrence exclusively to the tests conducted by the researchers, excluding any unauthorized access or exfiltration of customer data. However, it is impossible to rule out undetected exploits prior to the fix, though no evidence currently supports that possibility.

GitHub acknowledged the collaboration with Wiz, classifying the discovery as one of the most severe findings ever handled in its Bug Bounty program, though the exact bounty amount was not disclosed.

Mitigation and Incident Response

For organizations running GitHub Enterprise Server on-premises, the immediate priority is applying the patched versions identified in the official vendor bulletin. Installing the update closes the X-Stat vector before it can be exploited in a targeted attack.

Administrators should also analyze instance audit logs and monitor gitrpcd service logs for any occurrences of the anomalous code path, cross-referencing timelines with the public disclosure date. If updating is not immediately feasible, it is advisable to restrict push permissions on critical repositories until maintenance is complete.

Furthermore, organizations must assess potential host compromise: access as the git user exposes all local repositories, secrets, and runner tokens. A forensic review of systems and a rotation of internal credentials are recommended as prudent countermeasures following the patch installation.

The Wiz discovery highlights a recurring paradox in cloud infrastructure: the speed of a vendor's response does not automatically translate to the protection of the entire installed base. While GitHub.com was secured in less than two hours, the delay in patch adoption for self-hosted systems amplifies risk, turning a managed zero-day into a persistent threat for Enterprise environments. For Italian firms, the CERT-AGID alert reinforces that the governance of internal patching cycles remains the true defensive perimeter.

Frequently Asked Questions

Why does the exploit require push permissions?

The attack vector utilizes git push options, which are parameters transmitted only during a push operation. A user with read-only access cannot generate the data flow required to inject malicious fields into the X-Stat header.

What is the current risk for GitHub.com users?

The cloud platform was patched on March 4, 2026, in under two hours and requires no user action. However, the theoretical issue of shared multi-tenant storage nodes briefly exposed millions of repositories to the risk of cross-tenant access in the interval preceding the fix.

What does "last-write-wins" mean in the context of the X-Stat header?

The parser processing the X-Stat header prioritizes the last value it encounters for any given field. By inserting a ; delimiter followed by a key-value pair, an attacker overwrites the legitimate configuration set by the babeld service, diverting the behavior of the gitrpcd service.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://cert-agid.gov.it/news/github-e-github-enterprise-server-vulnerabilita-rce-cve-2026-3854/
• https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
• https://thehackernews.com/2026/04/researchers-discover-critical-github.html
• https://cipherssecurity.com/cve-2026-3854-how-the-github-enterprise-server-rce-works-and-how-to-verify-youre-patched/
• https://github.blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/