Securing the Git push pipeline: Responding to a critical remote code execution
5 hours ago
- #vulnerability
- #GitHub
- #patch
- GitHub received a critical RCE vulnerability report from Wiz researchers on March 4, 2026.
- The bug allowed users with push access to execute arbitrary commands via crafted git push options.
- A fix was deployed to github.com within two hours, with no evidence of prior exploitation found.
- Patches for GitHub Enterprise Server (GHES) were released under CVE-2026-3854.
- GitHub also implemented defense-in-depth by removing unnecessary code paths.