GitHub patched a critical git push flaw affecting private repositories

GitHub has disclosed details of CVE-2026-3854, a critical remote code execution flaw in its git push pipeline that could have exposed millions of private repositories. According to GitHub, the bug was reported by Wiz on March 4 and patched on GitHub.com less than two hours later, with enterprise patches now available for self-hosted customers.

This matters because the vulnerable path sat in one of the most sensitive parts of GitHub's infrastructure: the code-handling flow that processes pushes from developers. A bug there is not just another web application issue. It creates a route to source code, internal secrets, and software supply chains that many large companies rely on every day.

GitHub said an attacker with push access to any repository, including one they created themselves, could abuse unsanitized git push options to inject trusted internal metadata and eventually execute arbitrary commands on the server handling the push. In its own write-up, GitHub said the exploit required only a single crafted git push command. Wiz, whose researchers found the issue through GitHub's bug bounty program, said the impact on GitHub.com could have reached millions of public and private repositories on affected shared storage nodes.

The company said its internal team reproduced the issue within 40 minutes, deployed a fix to GitHub.com the same day, and then ran a forensic review. GitHub says that review found no evidence the flaw had been exploited before disclosure. It also removed an unnecessary code path from affected environments as part of a broader hardening effort.

The remaining operational risk is on GitHub Enterprise Server. GitHub has released fixes across supported versions and says administrators should upgrade immediately and review audit logs for suspicious push activity. That is the practical takeaway here. Even though GitHub.com was patched quickly, enterprise customers still need to assume this is a high-priority remediation because code-hosting systems sit close to everything else in the software stack. As first highlighted in broader reporting by BleepingComputer and detailed by GitHub and Wiz, this was the kind of infrastructure bug that can turn a developer workflow into a supply-chain incident very quickly.